Mod_auth_kerb and Windows XP SP2 - Kerberos

This is a discussion on Mod_auth_kerb and Windows XP SP2 - Kerberos ; All, We are using Apache2 with mod_auth_kerb. Red Hat Enterprise Linux AS release 3 (2.4.21-40.Elsmp) Apache 2.0.49 (fork) mod_auth_kerb-5.3 MIT Kerberos Version 5, Release 1.5.2 Windows XP sp2 (desktop). 1. User logs on to their desktop. 2. I can see ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Mod_auth_kerb and Windows XP SP2

  1. Mod_auth_kerb and Windows XP SP2

    All,

    We are using Apache2 with mod_auth_kerb.

    Red Hat Enterprise Linux AS release 3 (2.4.21-40.Elsmp)
    Apache 2.0.49 (fork)
    mod_auth_kerb-5.3
    MIT Kerberos Version 5, Release 1.5.2
    Windows XP sp2 (desktop).


    1. User logs on to their desktop.
    2. I can see TGT using kerbtray.
    3. Everything works fine for 2 days.
    4. Right from the 3rd day users starts getting basic auth box when they
    try to access the site.

    Apache logs
    =========
    [Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received
    for child 1 (server lxdm14545.corp.mycompany.com:443)
    [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client
    10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type
    Kerberos
    [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client
    10.X.X.X] Acquiring creds for HTTP@lxdm14545.corp.mycompany.com
    [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client
    10.X.X.X] Verifying client data using KRB5 GSS-API
    [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client
    10.X.X.X] Verification returned code 589824
    [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client
    10.X.X.X] Warning: received token seems to be NTLM, which isn't
    supported by the Kerberos module. Check your IE configuration.
    [Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X]
    gss_accept_sec_context() failed: Invalid token was supplied (No error)
    [Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with
    unclean shutdown(server lxdm14545.corp.mycompany.com:443, client
    10.X.X.X)

    On the kerbtray I can see a valid ticket (non-expired).
    If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
    working fine again.

    I used ethereal to see what's happening.

    On successful auth: IE is sending Authorization : Negotiate
    On failure auth:IE is sending Authorization : NTLMSSP (without even try
    using GSSAPI)

    Does anyone know what triggers Windows XP to stop doing kerb auth
    (GSSAPI) and switch to NTLM.

    Its weird that its working fine for couple of days and starts
    mis-behaving this way.
    Once in a while I see this error on Desktop's event viewer. There is no
    pattern in the time interval between the errors.

    The Security System could not establish a secured connection with the
    server
    ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com@corp.mycompany.com.
    No authentication protocol was available.
    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    I verified that we have reverse DNS look up setup properly.

    This seems to be a more of an issue on the XP side.

    Any help on this regard will be appreciated

    Thanks
    --Sriram

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Mod_auth_kerb and Windows XP SP2


    I opened a support call with Microsoft and got an reply that they don't
    support kerberos authentication if the webserver is Apache even the client
    is XP-IE. They only support IE-IIS combination.

    Going back to NTLM is not an option.

    I can provide ethereal trace if anyone is interested in it.
    I followed the exact instructions as mentioned in
    http://www.grolmsnet.de/kerbtut/
    I guess, being able to do seamless SSO for first 2 days is a proof that the
    keytab and the rest of the configuration is correct.

    Does anyone has implemented this solution without any issues ?

    --Sriram


    SriramG wrote:
    >
    > All,
    >
    > We are using Apache2 with mod_auth_kerb.
    >
    > Red Hat Enterprise Linux AS release 3 (2.4.21-40.Elsmp)
    > Apache 2.0.49 (fork)
    > mod_auth_kerb-5.3
    > MIT Kerberos Version 5, Release 1.5.2
    > Windows XP sp2 (desktop).
    >
    >
    > 1. User logs on to their desktop.
    > 2. I can see TGT using kerbtray.
    > 3. Everything works fine for 2 days.
    > 4. Right from the 3rd day users starts getting basic auth box when they
    > try to access the site.
    >
    > Apache logs
    > =========
    > [Mon Apr 09 10:03:25 2007] [info] Initial (No.1) HTTPS request received
    > for child 1 (server lxdm14545.corp.mycompany.com:443)
    > [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1474): [client
    > 10.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type
    > Kerberos
    > [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1161): [client
    > 10.X.X.X] Acquiring creds for HTTP@lxdm14545.corp.mycompany.com
    > [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1305): [client
    > 10.X.X.X] Verifying client data using KRB5 GSS-API
    > [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1321): [client
    > 10.X.X.X] Verification returned code 589824
    > [Mon Apr 09 10:03:25 2007] [debug] src/mod_auth_kerb.c(1348): [client
    > 10.X.X.X] Warning: received token seems to be NTLM, which isn't
    > supported by the Kerberos module. Check your IE configuration.
    > [Mon Apr 09 10:03:25 2007] [error] [client 10.X.X.X]
    > gss_accept_sec_context() failed: Invalid token was supplied (No error)
    > [Mon Apr 09 10:03:25 2007] [info] Connection to child 1 closed with
    > unclean shutdown(server lxdm14545.corp.mycompany.com:443, client
    > 10.X.X.X)
    >
    > On the kerbtray I can see a valid ticket (non-expired).
    > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
    > working fine again.
    >
    > I used ethereal to see what's happening.
    >
    > On successful auth: IE is sending Authorization : Negotiate
    > On failure auth:IE is sending Authorization : NTLMSSP (without even try
    > using GSSAPI)
    >
    > Does anyone know what triggers Windows XP to stop doing kerb auth
    > (GSSAPI) and switch to NTLM.
    >
    > Its weird that its working fine for couple of days and starts
    > mis-behaving this way.
    > Once in a while I see this error on Desktop's event viewer. There is no
    > pattern in the time interval between the errors.
    >
    > The Security System could not establish a secured connection with the
    > server
    > ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com@corp.mycompany.com.
    > No authentication protocol was available.
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > I verified that we have reverse DNS look up setup properly.
    >
    > This seems to be a more of an issue on the XP side.
    >
    > Any help on this regard will be appreciated
    >
    > Thanks
    > --Sriram
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10025814
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Mod_auth_kerb and Windows XP SP2

    > > On the kerbtray I can see a valid ticket (non-expired).
    > > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
    > > working fine again.


    The TGT is expiring. TGT tickets have a "cumulative ticket life" that
    is limited by ticket renewal policy. When it expires the secret key is
    required to get a new one (e.g. the password via ctrl-alt-del).

    Look at the Renew Until field in kerbtray. Note that kerbtray does not
    update automatically. You must close it and relaunch it for it to update
    the information. I think you'll find that the Renew Until time is about
    2 days.

    By default Windows will lock the desktop after a short time of inactivity
    so you're seeing this problem because you have somehow bypassed that
    policy. Or you have been working for two days straight in which case
    you have bigger problems than Kerberos ticket renewal policies - you
    need a new employer ;-)

    Mike

    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Mod_auth_kerb and Windows XP SP2


    Allen,

    Thanks for you response.
    1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1 hour).
    But, its not consistent.
    2. If I leave my desktop idle for 10 mins, out corporate policy locks the
    desktop, but it doesn’t create a new ticket when I unlock it.
    Not sure if that’s controlled by GPO.
    3. For sure it creates a new TGT or renews the TGT when I manually lock and
    unlock.

    Next time when this happens I will run the klist and check the ticket
    EndTime.

    I was able to confirmed that, if the server is IIS it switch to NTLM on this
    scenario, where as mod_auth_kerb doesn’t support NTLM.

    Actually we are seeing the same symptoms as mentioned in the KB article.
    http://support.microsoft.com/kb/885887
    But the DLL version I have here is 5.1.2600.2698. Which is higher than whats
    mentioned on the article.

    --Sriram


    Michael B Allen wrote:
    >
    >> > On the kerbtray I can see a valid ticket (non-expired).
    >> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
    >> > working fine again.

    >
    > The TGT is expiring. TGT tickets have a "cumulative ticket life" that
    > is limited by ticket renewal policy. When it expires the secret key is
    > required to get a new one (e.g. the password via ctrl-alt-del).
    >
    > Look at the Renew Until field in kerbtray. Note that kerbtray does not
    > update automatically. You must close it and relaunch it for it to update
    > the information. I think you'll find that the Renew Until time is about
    > 2 days.
    >
    > By default Windows will lock the desktop after a short time of inactivity
    > so you're seeing this problem because you have somehow bypassed that
    > policy. Or you have been working for two days straight in which case
    > you have bigger problems than Kerberos ticket renewal policies - you
    > need a new employer ;-)
    >
    > Mike
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10028733
    Sent from the Kerberos - General mailing list archive at Nabble.com.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. RE: Mod_auth_kerb and Windows XP SP2

    Allen,

    Thanks for you response.
    1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
    hour). But, its not consistant.
    2. If I leave my desktop idle for 10 mins, out corporate policy locks
    the desktop, but it doesn't create a new ticket when I unlock it.
    Not sure if that's controlled by GPO.
    3. For sure it creates a new TGT or renews the TGT when I manually lock
    and unlock.

    Next time when this happens I will run the klist and check the ticket
    EndTime.

    I was able to confirmed that, if the server is IIS it switch to NTLM on
    this scenario, where as mod_auth_kerb doesn't support NTLM.

    Actually we are seeing the same sympotms as mentioned in the KB article.
    http://support.microsoft.com/kb/885887
    But the DLL version I have here is 5.1.2600.2698. Which is higher than
    whats mentioned on the article.

    --Sriram

    -----Original Message-----
    From: Michael B Allen [mailto:mba2000@ioplex.com]
    Sent: Monday, April 16, 2007 4:56 PM
    To: Gopalan, Sriram
    Cc: kerberos@mit.edu
    Subject: Re: Mod_auth_kerb and Windows XP SP2

    > > On the kerbtray I can see a valid ticket (non-expired).
    > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
    > > starts working fine again.


    The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
    limited by ticket renewal policy. When it expires the secret key is
    required to get a new one (e.g. the password via ctrl-alt-del).

    Look at the Renew Until field in kerbtray. Note that kerbtray does not
    update automatically. You must close it and relaunch it for it to update
    the information. I think you'll find that the Renew Until time is about
    2 days.

    By default Windows will lock the desktop after a short time of
    inactivity so you're seeing this problem because you have somehow
    bypassed that policy. Or you have been working for two days straight in
    which case you have bigger problems than Kerberos ticket renewal
    policies - you need a new employer ;-)

    Mike

    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Mod_auth_kerb and Windows XP SP2

    On Mon, 16 Apr 2007 23:34:42 -0400
    "Gopalan, Sriram" wrote:

    > Allen,
    >
    > Thanks for you response.
    > 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
    > hour). But, its not consistant.
    > 2. If I leave my desktop idle for 10 mins, out corporate policy locks
    > the desktop, but it doesn't create a new ticket when I unlock it.
    > Not sure if that's controlled by GPO.
    > 3. For sure it creates a new TGT or renews the TGT when I manually lock
    > and unlock.


    This sounds like a completely different problem which has been discussed
    on the mod_auth_kerb list previously. And for which there was no
    resolution.

    > Next time when this happens I will run the klist and check the ticket
    > EndTime.
    >
    > I was able to confirmed that, if the server is IIS it switch to NTLM on
    > this scenario, where as mod_auth_kerb doesn't support NTLM.


    If you can reproduce the problem with IIS that sounds like precedence
    for requesting an explaination from MS.

    > Actually we are seeing the same sympotms as mentioned in the KB article.
    > http://support.microsoft.com/kb/885887
    > But the DLL version I have here is 5.1.2600.2698. Which is higher than
    > whats mentioned on the article.


    This sounds like a simple domain controller availability issue. Perhaps
    mod_auth_kerb or libkrb5 could benifit from some retry capability.

    Mike

    > -----Original Message-----
    > From: Michael B Allen [mailto:mba2000@ioplex.com]
    > Sent: Monday, April 16, 2007 4:56 PM
    > To: Gopalan, Sriram
    > Cc: kerberos@mit.edu
    > Subject: Re: Mod_auth_kerb and Windows XP SP2
    >
    > > > On the kerbtray I can see a valid ticket (non-expired).
    > > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
    > > > starts working fine again.

    >
    > The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
    > limited by ticket renewal policy. When it expires the secret key is
    > required to get a new one (e.g. the password via ctrl-alt-del).
    >
    > Look at the Renew Until field in kerbtray. Note that kerbtray does not
    > update automatically. You must close it and relaunch it for it to update
    > the information. I think you'll find that the Renew Until time is about
    > 2 days.
    >
    > By default Windows will lock the desktop after a short time of
    > inactivity so you're seeing this problem because you have somehow
    > bypassed that policy. Or you have been working for two days straight in
    > which case you have bigger problems than Kerberos ticket renewal
    > policies - you need a new employer ;-)
    >
    > Mike
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Mod_auth_kerb and Windows XP SP2


    Ok again this morning, I started to get prompted.
    I unlocked my PC today. But it didn't renew my ticket.

    Here is my klist (The site I am trying to access is
    mychannele.corp.mycompany.com)

    C:\Program Files\Resource Kit>date /t
    Tue 04/17/2007

    C:\Program Files\Resource Kit>time /t
    09:14 AM

    C:\Program Files\Resource Kit>klist tickets

    Cached Tickets: (7)

    Server: krbtgt/CORP.MYCOMPANY.COM@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server: krbtgt/CORP.MYCOMPANY.COM@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server: SFO1DC1$@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server:
    ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server: LXDM14545$@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server: HTTP/mychannele.corp.mycompany.com@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: Kerberos DES-CBC-MD5
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    Server: SFO1-GFS6LB1$@CORP.MYCOMPANY.COM
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/17/2007 11:10:58
    Renew Time: 4/24/2007 1:10:58


    C:\Program Files\Resource Kit>klist tgt

    Cached TGT:

    ServiceName: krbtgt
    TargetName: krbtgt
    FullServiceName: sgopalan
    DomainName: CORP.MYCOMPANY.COM?
    TargetDomainName: CORP.MYCOMPANY.COM?
    AltTargetDomainName: CORP.MYCOMPANY.COM?
    TicketFlags: 0x40e00000
    KeyExpirationTime: 256/0/29920 0:103:8048
    StartTime: 4/17/2007 1:10:58
    EndTime: 4/17/2007 11:10:58
    RenewUntil: 4/24/2007 1:10:58
    TimeSkew: 4/24/2007 1:10:58


    --Sriram

    C:\Program Files\Resource Kit>

    Michael B Allen wrote:
    >
    > On Mon, 16 Apr 2007 23:34:42 -0400
    > "Gopalan, Sriram" wrote:
    >
    >> Allen,
    >>
    >> Thanks for you response.
    >> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
    >> hour). But, its not consistant.
    >> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
    >> the desktop, but it doesn't create a new ticket when I unlock it.
    >> Not sure if that's controlled by GPO.
    >> 3. For sure it creates a new TGT or renews the TGT when I manually lock
    >> and unlock.

    >
    > This sounds like a completely different problem which has been discussed
    > on the mod_auth_kerb list previously. And for which there was no
    > resolution.
    >
    >> Next time when this happens I will run the klist and check the ticket
    >> EndTime.
    >>
    >> I was able to confirmed that, if the server is IIS it switch to NTLM on
    >> this scenario, where as mod_auth_kerb doesn't support NTLM.

    >
    > If you can reproduce the problem with IIS that sounds like precedence
    > for requesting an explaination from MS.
    >
    >> Actually we are seeing the same sympotms as mentioned in the KB article.
    >> http://support.microsoft.com/kb/885887
    >> But the DLL version I have here is 5.1.2600.2698. Which is higher than
    >> whats mentioned on the article.

    >
    > This sounds like a simple domain controller availability issue. Perhaps
    > mod_auth_kerb or libkrb5 could benifit from some retry capability.
    >
    > Mike
    >
    >> -----Original Message-----
    >> From: Michael B Allen [mailto:mba2000@ioplex.com]
    >> Sent: Monday, April 16, 2007 4:56 PM
    >> To: Gopalan, Sriram
    >> Cc: kerberos@mit.edu
    >> Subject: Re: Mod_auth_kerb and Windows XP SP2
    >>
    >> > > On the kerbtray I can see a valid ticket (non-expired).
    >> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
    >> > > starts working fine again.

    >>
    >> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
    >> limited by ticket renewal policy. When it expires the secret key is
    >> required to get a new one (e.g. the password via ctrl-alt-del).
    >>
    >> Look at the Renew Until field in kerbtray. Note that kerbtray does not
    >> update automatically. You must close it and relaunch it for it to update
    >> the information. I think you'll find that the Renew Until time is about
    >> 2 days.
    >>
    >> By default Windows will lock the desktop after a short time of
    >> inactivity so you're seeing this problem because you have somehow
    >> bypassed that policy. Or you have been working for two days straight in
    >> which case you have bigger problems than Kerberos ticket renewal
    >> policies - you need a new employer ;-)
    >>
    >> Mike
    >>
    >> --
    >> Michael B Allen
    >> PHP Active Directory Kerberos SSO
    >> http://www.ioplex.com/
    >>

    >
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --
    View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10039103
    Sent from the Kerberos - General mailing list archive at Nabble.com.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Mod_auth_kerb and Windows XP SP2


    Just wanted to update back, if anyone ends up with this issue.

    We contacted MS they provided a hotfix as mentioned on the KB

    http://support.microsoft.com/kb/906524/en-us

    We have installed in 3 desktops. No more authentication prompts. It works
    every single time. No issues so far (10 days). I haven't rebooted or logged
    off the desktop yet in the last 10 days. I just lockout the desktop when I
    am not using it.

    We are planning to push this to 100+ desktops next week. Will post back the
    results.

    --Sriram



    SriramG wrote:
    >
    > Allen,
    >
    > Thanks for you response.
    > 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
    > hour). But, its not consistent.
    > 2. If I leave my desktop idle for 10 mins, out corporate policy locks the
    > desktop, but it doesn’t create a new ticket when I unlock it.
    > Not sure if that’s controlled by GPO.
    > 3. For sure it creates a new TGT or renews the TGT when I manually lock
    > and unlock.
    >
    > Next time when this happens I will run the klist and check the ticket
    > EndTime.
    >
    > I was able to confirmed that, if the server is IIS it switch to NTLM on
    > this scenario, where as mod_auth_kerb doesn’t support NTLM.
    >
    > Actually we are seeing the same symptoms as mentioned in the KB article.
    > http://support.microsoft.com/kb/885887
    > But the DLL version I have here is 5.1.2600.2698. Which is higher than
    > whats mentioned on the article.
    >
    > --Sriram
    >
    >
    > Michael B Allen wrote:
    >>
    >>> > On the kerbtray I can see a valid ticket (non-expired).
    >>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
    >>> > working fine again.

    >>
    >> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
    >> is limited by ticket renewal policy. When it expires the secret key is
    >> required to get a new one (e.g. the password via ctrl-alt-del).
    >>
    >> Look at the Renew Until field in kerbtray. Note that kerbtray does not
    >> update automatically. You must close it and relaunch it for it to update
    >> the information. I think you'll find that the Renew Until time is about
    >> 2 days.
    >>
    >> By default Windows will lock the desktop after a short time of inactivity
    >> so you're seeing this problem because you have somehow bypassed that
    >> policy. Or you have been working for two days straight in which case
    >> you have bigger problems than Kerberos ticket renewal policies - you
    >> need a new employer ;-)
    >>
    >> Mike
    >>
    >> --
    >> Michael B Allen
    >> PHP Active Directory Kerberos SSO
    >> http://www.ioplex.com/
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>

    >
    >


    --
    View this message in context: http://www.nabble.com/Mod_auth_kerb-...html#a10279081
    Sent from the Kerberos - General mailing list archive at Nabble.com.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Mod_auth_kerb and Windows XP SP2

    Good job Sriram. I'm cc-ing the mod_auth_kerb list. They were talking about
    this issue a while back.

    Mike

    On Tue, 1 May 2007 19:08:05 -0700 (PDT)
    SriramG wrote:

    > Just wanted to update back, if anyone ends up with this issue.
    >
    > We contacted MS they provided a hotfix as mentioned on the KB
    >
    > http://support.microsoft.com/kb/906524/en-us
    >
    > We have installed in 3 desktops. No more authentication prompts. It works
    > every single time. No issues so far (10 days). I haven't rebooted or logged
    > off the desktop yet in the last 10 days. I just lockout the desktop when I
    > am not using it.
    >
    > We are planning to push this to 100+ desktops next week. Will post back the
    > results.
    >
    > --Sriram

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread