[krbdev.mit.edu #5712] Random issue reported by Kevin

[Jeffrey Altman via RT]

Kevin Koch via RT wrote:
> I forgot to add that the real identity is the default identity in all 
> cases.  Never is testprinc the default identity.
> 
>> You are getting an error with a ticket that is near expiration.
>> Perhaps your VM clock and the server clock are off by a couple of
>> minutes and the service ticket is being rejected.  In this case
>> the ticket appears to be valid to the client according to its
>> clock and is invalid on the server.
>  
> testprinc is expired.  Not near expiration, expired.
> 
> This is happening on the host PC, not in a VM.

Attach a debugger and figure out what ccache is being given to
SecureCRT when it asks for one.  SecureCRT is only going to use
the ccache that it is given the first time it asks for the default
ccache.  This ccache is going to come from the krb5int_cc_default()
function.  It is not going to come from NIM unless krb5int_cc_default()
determines via a call to leashw32.dll that there are no valid
credentials in the ccache that is default for the SecureCRT.exe
process.

Note that each krb5_context has its own notion of the default ccache.
Once a krb5_context is assigned a default ccache the value set by
NIM becomes irrelevant.  The NIM default ccache is communicated to
krb5int_cc_default() via the registry.

  HKCU\SOFTWARE\MIT\Kerberos5\  "ccname"

If that value and NIM disagree about what the default ccache is
that is a problem.  If not, the problem is not in NIM.

When NIM is queried it is always to prompt the user.  The obtain
new creds dialog is displayed.  The last identity the user obtained
creds for will be displayed as the default.  The user can enter
any Kerberos principal of her choosing.  If she wants an identity
that already has credentials she can simply enter the name and
press 'Ok'.  NIM will return the ccache name for that identity to
the requesting application.