Hi guys

I understand that for Kerberos authentication in a 2k3 domain, when a user successfully authenticated himself to the AD, the KDC will issue him a TGT and a session ticket. He will then use them to request for sevice tickets to access server resources.

What I like to know is when the TGT expires, it will go through a ticket renewal process with the KDC to renew the tickets. Will they through another round of authentication during renewal?

Please advise.

Thanks -- Domon ------------------------------------------------------------------------ Domon's Profile: http://forums.techarena.in/members/domon.htm View this thread: http://forums.techarena.in/active-directory/1143846.htmhttp://forums.techarena.in

Hello Domon,

From: http://technet.microsoft.com/en-us/library/cc772815.aspx

What happens when tickets expire
The KDC does not notify clients when service tickets or TGTs are about to
expire. Furthermore, other than keeping short-term records needed to prevent
replay attacks, it does not keep track of transactions with clients.

If a client presents an expired service ticket when requesting a connection
to a server, the server returns an error message. The client must request
a new service ticket from the KDC. After a connection is authenticated, however,
it no longer matters whether the service ticket remains valid. Service tickets
are used only to authenticate new connections with servers. Ongoing operations
are not interrupted if the service ticket used to authenticate the connection
expires during the connection.

If a client presents an expired TGT when requesting a service ticket from
the KDC, the KDC responds with an error message. The client must request
a new TGT, and to do that it needs the user's long-term key. If the client
did not cache the user's long-term key during the initial logon process,
the client might have to ask the user for a password and derive the long-term
key.

Renewable TGTs
When tickets are renewable, session keys are refreshed periodically without
issuing a completely new ticket. If Kerberos policy permits renewable tickets,
the KDC sets a RENEWABLE flag in every ticket it issues and sets two expiration
times in the ticket. One expiration time limits the life of the current instance
of the ticket; the second expiration time sets a limit on the cumulative
lifetime of all instances of the ticket.

The expiration time for the current instance of the ticket is held in the
End Time field. As with non-renewable tickets, the value in the End Time
field equals the value in the Start Time field plus the value of the maximum
ticket life specified by Kerberos policy. A client holding a renewable ticket
must send it-presenting a fresh authenticator as well-to the KDC for renewal
before the end time is reached. When the KDC receives a ticket for renewal,
it checks the value of a second expiration time held in the Renew Till field.
This value is set when the ticket is first issued. It equals the value in
the tickets Start Time field plus the value of the maximum cumulative ticket
life specified by Kerberos policy. When the KDC renews the ticket, it checks
to determine if the renew-till time has not yet arrived. If it has not, the
KDC issues a new instance of the ticket with a later end time and a new session
key.

This means that administrators can set Kerberos policy so that tickets must
be renewed at relatively short intervals-every day, for example. When tickets
are renewed, a new session key is issued, minimizing the value of a compromised
key. Administrators can also set cumulative ticket life for a relatively
long period-one week or one month, for example. At the end of that time,
the ticket expires and is no longer valid for renewal.



Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Hi Meinolf

Thanks for the reply.

So, let's say that I have a service running using an service account called "serviceAcc". This account is given "PasswordA" as the password. In a domain controller, we change the service account's password to "PasswordB". And we change the password on the service's properties as well. However , we did not restart the service. From what I understand is that the new password will not take effect until the service is restarted. In this, how will the service be affected if the tickets is to be renewed?

Would like to hear your views on this ...

Thanks -- Domon ------------------------------------------------------------------------ Domon's Profile: http://forums.techarena.in/members/48096.htm View this thread: http://forums.techarena.in/active-directory/1143846.htmhttp://forums.techarena.in

Hello Domon,

The service has to be re restarted. If you don't do it, the service will
stop working. So that's also a reason when using a service account, that
you configure a long strong password for the user account, that should have
only the minimum permissions for that service/application/role, and that
you change that password at least once a year. Ofcourse you should never
use that account for anything else.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Hi Meinolf

I see. As the service is not restarted, it will still use back the old Password "PasswordA". When the tickets are to be renewed, it will use the old password. This will result in a bad password error as the new password "PAsswordB" is set in the Active Directory. Thus, the tickets will not be renewed and results in the service not been able to work. Am I having the correct concept? Please correct me if I'm wrong.


Thanks -- Domon ------------------------------------------------------------------------ Domon's Profile: http://forums.techarena.in/members/48096.htm View this thread: http://forums.techarena.in/active-directory/1143846.htmhttp://forums.techarena.in

On Mar 22, 7:21 pm, Domon <Domon.3ph...@DoNotSpam.com> wrote:
Show quoteHide quoteThe docs cover this pretty well:

TGT Renewal with Windows XP and Windows 2000 with SP2 or Later
The TGT has a default lifetime of ten hours, but can be renewed for
up to seven days (by default). The renewal does not require
credentials. The renewal will only occur if the TGT is used within
five minutes of its expiration. Otherwise, the TGT will expire and
must be refreshed (which requires credentials).

TGT Renewal with Windows Server 2003
The TGT has a default lifetime of ten hours, but can be renewed for
up to seven days (by default). The renewal does not require
credentials. The renewal occurs through the use of a scavenger thread
on the machine. If for some reason the TGT was not able to be renewed
it will expire and must be refreshed (which requires credentials).

In Windows XP and Windows 2000 with SP2 or later, TGT renewal is
triggered when the TGT is used within 5 minutes of its expiration.

In Windows Server 2003, periodically the system will automatically
renew expiring TGTs.

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/kerberos.mspx

So, as long as the TGT can be renewed, it will use the previous TGT
which means that it won't use the password. After you change the
service account password, it could therefore still work for up to
seven days using the old TGT. The new password would be used as soon
as a new TGT is requested (refresh).

HTH,
Dave

What impact does the issue mentioned in this KB article have on what was
discussed in this thread?
http://support.microsoft.com/kb/959517

Hello LFAR123,

This mentioned an error that occurs as described in the article. The renewal
fails on the KDC. So the service application will stop working or produce
errors.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

Thanks for the reply Meinolf.  I have a question related to Domon's question.
We have a SharePoint implementation in which an InfoPath form calls a custom
web service that is hosted on a different IIS Server.  Kerb delegation is
being used during the form's call to the web service.  We are seeing times
where the call to the web service is failing with a 401.  We are pretty
certain the problem is that when the use connects to the SharePoint site,
rather than using kerb authen, it is dropping back to NTLM.  Therefore when
the call is made to the web service, this fails because NTLM is being used. 
Our thinking is also that the reason the user is connecting to SharePoint
with NTLM rather than kerb is because the user's TGT is expiring.  The reason
we think this is because if I instruct the user to reboot and then try, they
connect with kerb to SharePoint and the call to the web service is
successful. 

Our KDC is setup to expire tickets 10 hours and renewable for 7 days.  My
question is when does a TGT get renewed?  You said it will automatically get
renewed if used within 5 minutes of expiring.  Is that the only time it is
renewed?  I’m having a devil of a time proving out our theory on the issue. 
The reason I asked about the KB article is that our DCs are Server 2008
servers.  So I think this bug as an influence as well.  Thanks for any
thoughts or guidance you can provide.

Infrastructure FSMO role owner attibute not correct in root domain
What am I doing wrong? (Want to use Server 2003 R2 for Domain Cont
offline KB 810859
Roamin Profiles
Error message: During a logon attempt, the user's security context
servers loooking for group policy on dead server
How to Switch domains without having admin rights?
problem with NIS and AD user attributes
Problem After Defining Static RPC Port
Quick question about two-way trust.