Issues with Active Directory <-> MIT x-realm key replacement

Jeffrey Altman jaltman at
Thu Dec 9 01:15:26 EST 2010

On 12/8/2010 11:25 PM, Srinivas Cheruku wrote:
> What about a case when MIT client trying to access the AD services after the cross-realm keys are changed? For e.g. the MIT client would have service ticket krbtgt/AD at MIT encrypted with the older key and this ticket when presented to AD will not be able to decrypt this ticket as I believe AD doesn't store old cross-realm passwords. Do you have any way to mitigate this, other than MIT users destroying the cache or waiting for the cross-realm ticket to expire?
> Thanks,
> Srini

Since we can't modify Active Directory all that can be done is to reduce
the maximum lifetime of the krbtgt/AD at MIT service principal from its
normal production value (10 hours default) to ten minutes over the
preceding maximum lifetime.  This ensures that the outage window will
not exceed ten minutes.

After the key replacement is complete the maximum lifetime can be
restored to its normal production value.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: OpenPGP digital signature
Url :

More information about the krbdev mailing list