How does MIT Kerberos SDK works with MSLSA:

Douglas E. Engert deengert at anl.gov
Tue Jan 29 12:29:33 EST 2013 


On 1/28/2013 10:17 PM, deepak kumar wrote:
> Hi All,
>
> I have been working on  developing  Client and a  Service application for
> Windows as a prototype. These prototypes should do kerberos based mutual
> authentication where client should authenticate using the logged on
> credentials of the logged in windows user.
> I am using Kerberos for Windows 4.
>
> Now if i do klist MSLSA: on command prompt, I get a list of service ticket
> like
> HOST/........
> LDAP/.......
> cifs/.......
>
> but I don't see any krbtgt (TGT).
> But the client application still works as long as there is any service
> ticket available(visible in klist).
> After a while service tickets expires and klist start returning empty list.
> At this time the client aplication start to fail saying  credential cache
> is empty..
>
> If I keep waiting for some time some other service ticket will
> automatically get generated and application will start working again.
>
> I know by setting  enabletgtseesionkey registry entry to true. will allow
> us to see TGT using klist. but we don't want to change any registry
> settings...

You mean allowtgtsessionkey?
  http://support.microsoft.com/kb/308339

Keep in mind that Windows is keeping the session key private so an
application can not steel the TGT and misuse it. Yet the Windows
Kerberos/SSPI can get service tickets for applications without the
application requiring access to the TGT key.


The allowtgtsessionkey was a concession by Microsoft that there are
times when an application using some external Kerberos library needs
access to the session key.

>
> I want to know how the client application is working without TGT. and why
> service ticket dissappear after expiry time .Is there any way to get them
> renewed  automatically.

The TGT in the MSLSA can be renewable see:
http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx

under: Renewable TGTs.


>
> Thanks
> Deepak
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list