will the TGT destroyed if user locks windows

C

christy

Hello,

I have a win2k machine which is a member of MIT Realm.
A user who has an account in the MIT Realm logs on
using the win2k machine.

Using klist, I can see there are two tickets:
- 1 TGT, with the MIT KDC
- 1 session ticket with the win2k machine

What will happen when the user locks the machine ?
Will he lose the tickets ?

Based on my experiment, when the user locks the
machine, and then unlocks it, AS-REQ and TGS-REQ are
reinitiated (recorded in the log file of KDC).
Logically, this means that klist will show new TGT and
new session ticket.

However, my observation shows that the session ticket
with the win2k machine is the initial ticket (before
locking the machine) !! The TGT is a new one. If the
TGS-REQ is negotiated with the KDC, what happens with
the new session ticket ? why can't I see it with klist
?

Another doubt is about the logon process in windows
machine. Does the user negotiate a KDC_AP_REQ with the
windows machine upon AS-REQ and TGS-REQ with the KDC ?
From the windows 2000 white paper, it seems that only
AS-REQ and TGS-REQ are required for a user to logs in
into the windows machine...

Hope somebody can help me to clear my doubts
 
J

Joe Richards [MVP]

Most likely the machine is simply doing a live verify of the password, it isn't
querying the KDC to get a new TGT for use by the machine, just making sure the
person typing the password to unlock the machine is valid and nothing has
happened to that ID in the meanwhile since it was locked. This happens against
Windows Domains as well. I believe there is a registry change that can be made
that will tell the client to instead use cached info.
 
C

christy

You mean that the windows client simply sends AS-REQ and
TGS-REQ to MIT KDC just to verify the password ? And in
this case the TGT and ticket that it has retained
previously aren't destroyed ? I did notice that the TGT is
renewed. So, I can set the registry not to renew the TGT ?

Thank you for your reply !
 
C

christy

Hi Joe,

If the machine wants to do a
verification of password only, it can simply compare the
hash of the
password entered by the user when he wants to unlock the
machine with
the cached of the hash password that has been saved before
during the
login process right ?
In this way, there is no need to consult the KDC...

What do you think ?
 
J

Joe Richards [MVP]

I agree and that is the functionality you use if you tell the client to not
reverify domain ccredentials on unlock. Unfortunately I know that there is an
entry for this, I don't know what the specific entry is. If youpoke around in
your local security policy you may find it. If you can't find it after looking,
let me know and I will see if I can find it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top