How does MIT Kerberos SDK works with MSLSA:
Douglas E. Engert
deengert at anl.gov
Tue Jan 29 12:29:33 EST 2013
On 1/28/2013 10:17 PM, deepak kumar wrote:
> Hi All,
> I have been working on developing Client and a Service application for
> Windows as a prototype. These prototypes should do kerberos based mutual
> authentication where client should authenticate using the logged on
> credentials of the logged in windows user.
> I am using Kerberos for Windows 4.
> Now if i do klist MSLSA: on command prompt, I get a list of service ticket
> but I don't see any krbtgt (TGT).
> But the client application still works as long as there is any service
> ticket available(visible in klist).
> After a while service tickets expires and klist start returning empty list.
> At this time the client aplication start to fail saying credential cache
> is empty..
> If I keep waiting for some time some other service ticket will
> automatically get generated and application will start working again.
> I know by setting enabletgtseesionkey registry entry to true. will allow
> us to see TGT using klist. but we don't want to change any registry
You mean allowtgtsessionkey?
Keep in mind that Windows is keeping the session key private so an
application can not steel the TGT and misuse it. Yet the Windows
Kerberos/SSPI can get service tickets for applications without the
application requiring access to the TGT key.
The allowtgtsessionkey was a concession by Microsoft that there are
times when an application using some external Kerberos library needs
access to the session key.
> I want to know how the client application is working without TGT. and why
> service ticket dissappear after expiry time .Is there any way to get them
> renewed automatically.
The TGT in the MSLSA can be renewable see:
under: Renewable TGTs.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev