Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Tue, 5 Aug 2008 03:51:44 -0700 (PDT),    group: microsoft.public.platformsdk.security        back       


InitializeSecurityContext failing due to expired TGT?    
Hi all,

i have an app that tries to do a Single Sign-On via AD/Kerberos to a
server app (server may be running on Unix using GSSAPI or on Windows
using SSPI, doesn't really matter). The server has an SPN in AD and
all works fine most of the time, i can login, find out usernames and
all that.

But when a user lets his machine run over the weekend his TGT is
marked as expired, when i look at it with ktlist or the kerbtray app.
If he than uses my app to login to the service it errors out of
InitializeSecurityContext().

A quick workaround is to lock the screensaver with Win-L and than log
back in, that refreshes the ticket and login works fine after that.

My question:
Is there a way to refresh/renew the TGT programmatically or is the
only way user interaction? The examples in the SDK or MSDN don't
really mention this..., or I'm too dumb to find it.

I looked at the Kerberos4Win code and it does something gross like
totally nukeing all the Kerberos tickets in the LSA to force a
renewal, but i guess there must be some better way to do it.
One other attempt i have seen (not sure if it worked) was using
LsaLogonUser with a KerbTicketUnlockLogon Message Type to force a
refresh.

Can someone share some insight into this problem how to refresh a
ticket?

Michael
date: Tue, 5 Aug 2008 03:51:44 -0700 (PDT)   author:   schlenk

Re: InitializeSecurityContext failing due to expired TGT?    
On Aug 5, 3:51 am, schlenk  wrote:
> Hi all,
>
> i have an app that tries to do a Single Sign-On via AD/Kerberos to a
> server app (server may be running on Unix using GSSAPI or on Windows
> using SSPI, doesn't really matter). The server has an SPN in AD and
> all works fine most of the time, i can login, find out usernames and
> all that.
>
> But when a user lets his machine run over the weekend his TGT is
> marked as expired, when i look at it with ktlist or the kerbtray app.
> If he than uses my app to login to the service it errors out of
> InitializeSecurityContext().
>
> A quick workaround is to lock the screensaver with Win-L and than log
> back in, that refreshes the ticket and login works fine after that.
>
> My question:
> Is there a way to refresh/renew the TGT programmatically or is the
> only way user interaction? The examples in the SDK or MSDN don't
> really mention this..., or I'm too dumb to find it.
>
> I looked at the Kerberos4Win code and it does something gross like
> totally nukeing all the Kerberos tickets in the LSA to force a
> renewal, but i guess there must be some better way to do it.
> One other attempt i have seen (not sure if it worked) was using
> LsaLogonUser with a KerbTicketUnlockLogon Message Type to force a
> refresh.
>
> Can someone share some insight into this problem how to refresh a
> ticket?
>
> Michael

Hi Michael,

TGTs are refreshed automatically as long as the client machine can
contact the DC, so my suspicion is that there is something wrong.

After the timeout, If you use some other application to access a
network resource, does Kerberos seem to work? Does your app work after
this?

One other thought - There might be a problem with the cred handle for
expired tickets. Does you application cache the same Cred handle as
long as it is running? If it does, you might want to try to get a new
cred handle and see what happens.

I have a version of KLIST that allows you to selectively "nuke" the
kerb tickets. Contact me offline for a copy if none of the other
suggestions pan out.

HTH,
Dave
date: Tue, 5 Aug 2008 09:15:51 -0700 (PDT)   author:   DaveMo

Re: InitializeSecurityContext failing due to expired TGT?    
On Aug 5, 6:15 pm, DaveMo  wrote:
> On Aug 5, 3:51 am, schlenk  wrote:
>
>
>
> > Hi all,
>
> > i have an app that tries to do a Single Sign-On via AD/Kerberos to a
> > server app (server may be running on Unix using GSSAPI or on Windows
> > using SSPI, doesn't really matter). The server has an SPN in AD and
> > all works fine most of the time, i can login, find out usernames and
> > all that.
>
> > But when a user lets his machine run over the weekend his TGT is
> > marked as expired, when i look at it with ktlist or the kerbtray app.
> > If he than uses my app to login to the service it errors out of
> > InitializeSecurityContext().
>
> > A quick workaround is to lock the screensaver with Win-L and than log
> > back in, that refreshes the ticket and login works fine after that.
>
> > My question:
> > Is there a way to refresh/renew the TGT programmatically or is the
> > only way user interaction? The examples in the SDK or MSDN don't
> > really mention this..., or I'm too dumb to find it.
>
> > I looked at the Kerberos4Win code and it does something gross like
> > totally nukeing all the Kerberos tickets in the LSA to force a
> > renewal, but i guess there must be some better way to do it.
> > One other attempt i have seen (not sure if it worked) was using
> > LsaLogonUser with a KerbTicketUnlockLogon Message Type to force a
> > refresh.
>
> > Can someone share some insight into this problem how to refresh a
> > ticket?
>
> > Michael
>
> Hi Michael,
>
> TGTs are refreshed automatically as long as the client machine can
> contact the DC, so my suspicion is that there is something wrong.
>
> After the timeout, If you use some other application to access a
> network resource, does Kerberos seem to work? Does your app work after
> this?
>
> One other thought - There might be a problem with the cred handle for
> expired tickets. Does you application cache the same Cred handle as
> long as it is running? If it does, you might want to try to get a new
> cred handle and see what happens.
>
Okay, the TGTs should have refreshed themselves but they didn't until
i applied the hotfix for KB 906681 (included in XP SP3).

Michael
date: Fri, 22 Aug 2008 04:26:50 -0700 (PDT)   author:   schlenk

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us