MSFT KDC renew behaviour
Paul Moore
paul.moore at centrify.com
Fri Jan 6 20:09:23 EST 2006
MSFT will renew a tgt and give it an end-time that goes beyond the
original ticket's renew-until time. The renew-until time must not have
passed - that works correctly. But they will issue a new ticket with an
end time = to, say, Renew-until + 10 hours
My reading of 1510 is that this is not correct. The 1510 psuedo code
says
new_tkt.endtime := min(tgt.renew-till, new_tkt.starttime + old_life);
Which says that
A) the life time is not chosen by the client but is derived from the
original ticket (so I cannot work round the MSFT error by asking for a
shorter life time)
B) you cannot get a ticket with a end life that is > renew-until
So I am reading things right? Do you know if this is a 'well known
behaviour issue' for the MSFT KDC?
More information about the krbdev
mailing list