Issues with Active Directory <-> MIT x-realm key replacement
jaltman at secure-endpoints.com
Thu Dec 9 01:15:26 EST 2010
On 12/8/2010 11:25 PM, Srinivas Cheruku wrote:
> What about a case when MIT client trying to access the AD services after the cross-realm keys are changed? For e.g. the MIT client would have service ticket krbtgt/AD at MIT encrypted with the older key and this ticket when presented to AD will not be able to decrypt this ticket as I believe AD doesn't store old cross-realm passwords. Do you have any way to mitigate this, other than MIT users destroying the cache or waiting for the cross-realm ticket to expire?
Since we can't modify Active Directory all that can be done is to reduce
the maximum lifetime of the krbtgt/AD at MIT service principal from its
normal production value (10 hours default) to ten minutes over the
preceding maximum lifetime. This ensures that the outage window will
not exceed ten minutes.
After the key replacement is complete the maximum lifetime can be
restored to its normal production value.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 487 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20101209/0f8814d8/attachment.bin
More information about the krbdev