Sign in with
Sign up | Sign in
Your question

will the TGT destroyed if user locks windows

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
July 1, 2004 6:45:50 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I have a win2k machine which is a member of MIT Realm.
A user who has an account in the MIT Realm logs on
using the win2k machine.

Using klist, I can see there are two tickets:
- 1 TGT, with the MIT KDC
- 1 session ticket with the win2k machine

What will happen when the user locks the machine ?
Will he lose the tickets ?

Based on my experiment, when the user locks the
machine, and then unlocks it, AS-REQ and TGS-REQ are
reinitiated (recorded in the log file of KDC).
Logically, this means that klist will show new TGT and
new session ticket.

However, my observation shows that the session ticket
with the win2k machine is the initial ticket (before
locking the machine) !! The TGT is a new one. If the
TGS-REQ is negotiated with the KDC, what happens with
the new session ticket ? why can't I see it with klist
?

Another doubt is about the logon process in windows
machine. Does the user negotiate a KDC_AP_REQ with the
windows machine upon AS-REQ and TGS-REQ with the KDC ?
From the windows 2000 white paper, it seems that only
AS-REQ and TGS-REQ are required for a user to logs in
into the windows machine...

Hope somebody can help me to clear my doubts
Anonymous
a b 8 Security
July 1, 2004 3:48:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Most likely the machine is simply doing a live verify of the password, it isn't
querying the KDC to get a new TGT for use by the machine, just making sure the
person typing the password to unlock the machine is valid and nothing has
happened to that ID in the meanwhile since it was locked. This happens against
Windows Domains as well. I believe there is a registry change that can be made
that will tell the client to instead use cached info.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



christy wrote:
> Hello,
>
> I have a win2k machine which is a member of MIT Realm.
> A user who has an account in the MIT Realm logs on
> using the win2k machine.
>
> Using klist, I can see there are two tickets:
> - 1 TGT, with the MIT KDC
> - 1 session ticket with the win2k machine
>
> What will happen when the user locks the machine ?
> Will he lose the tickets ?
>
> Based on my experiment, when the user locks the
> machine, and then unlocks it, AS-REQ and TGS-REQ are
> reinitiated (recorded in the log file of KDC).
> Logically, this means that klist will show new TGT and
> new session ticket.
>
> However, my observation shows that the session ticket
> with the win2k machine is the initial ticket (before
> locking the machine) !! The TGT is a new one. If the
> TGS-REQ is negotiated with the KDC, what happens with
> the new session ticket ? why can't I see it with klist
> ?
>
> Another doubt is about the logon process in windows
> machine. Does the user negotiate a KDC_AP_REQ with the
> windows machine upon AS-REQ and TGS-REQ with the KDC ?
> From the windows 2000 white paper, it seems that only
> AS-REQ and TGS-REQ are required for a user to logs in
> into the windows machine...
>
> Hope somebody can help me to clear my doubts
Anonymous
a b 8 Security
July 1, 2004 10:57:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You mean that the windows client simply sends AS-REQ and
TGS-REQ to MIT KDC just to verify the password ? And in
this case the TGT and ticket that it has retained
previously aren't destroyed ? I did notice that the TGT is
renewed. So, I can set the registry not to renew the TGT ?

Thank you for your reply !

>-----Original Message-----
>Most likely the machine is simply doing a live verify of
the password, it isn't
>querying the KDC to get a new TGT for use by the machine,
just making sure the
>person typing the password to unlock the machine is valid
and nothing has
>happened to that ID in the meanwhile since it was locked.
This happens against
>Windows Domains as well. I believe there is a registry
change that can be made
>that will tell the client to instead use cached info.
>
>--
>Joe Richards Microsoft MVP Windows Server Directory Services
>www.joeware.net
>
>
>
>christy wrote:
>> Hello,
>>
>> I have a win2k machine which is a member of MIT Realm.
>> A user who has an account in the MIT Realm logs on
>> using the win2k machine.
>>
>> Using klist, I can see there are two tickets:
>> - 1 TGT, with the MIT KDC
>> - 1 session ticket with the win2k machine
>>
>> What will happen when the user locks the machine ?
>> Will he lose the tickets ?
>>
>> Based on my experiment, when the user locks the
>> machine, and then unlocks it, AS-REQ and TGS-REQ are
>> reinitiated (recorded in the log file of KDC).
>> Logically, this means that klist will show new TGT and
>> new session ticket.
>>
>> However, my observation shows that the session ticket
>> with the win2k machine is the initial ticket (before
>> locking the machine) !! The TGT is a new one. If the
>> TGS-REQ is negotiated with the KDC, what happens with
>> the new session ticket ? why can't I see it with klist
>> ?
>>
>> Another doubt is about the logon process in windows
>> machine. Does the user negotiate a KDC_AP_REQ with the
>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>> From the windows 2000 white paper, it seems that only
>> AS-REQ and TGS-REQ are required for a user to logs in
>> into the windows machine...
>>
>> Hope somebody can help me to clear my doubts
>.
>
Related resources
Anonymous
a b 8 Security
July 1, 2004 11:24:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Joe,

If the machine wants to do a
verification of password only, it can simply compare the
hash of the
password entered by the user when he wants to unlock the
machine with
the cached of the hash password that has been saved before
during the
login process right ?
In this way, there is no need to consult the KDC...

What do you think ?

>-----Original Message-----
>You mean that the windows client simply sends AS-REQ and
>TGS-REQ to MIT KDC just to verify the password ? And in
>this case the TGT and ticket that it has retained
>previously aren't destroyed ? I did notice that the TGT is
>renewed. So, I can set the registry not to renew the TGT ?
>
>Thank you for your reply !
>
>>-----Original Message-----
>>Most likely the machine is simply doing a live verify of
>the password, it isn't
>>querying the KDC to get a new TGT for use by the machine,
>just making sure the
>>person typing the password to unlock the machine is valid
>and nothing has
>>happened to that ID in the meanwhile since it was locked.
>This happens against
>>Windows Domains as well. I believe there is a registry
>change that can be made
>>that will tell the client to instead use cached info.
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>christy wrote:
>>> Hello,
>>>
>>> I have a win2k machine which is a member of MIT Realm.
>>> A user who has an account in the MIT Realm logs on
>>> using the win2k machine.
>>>
>>> Using klist, I can see there are two tickets:
>>> - 1 TGT, with the MIT KDC
>>> - 1 session ticket with the win2k machine
>>>
>>> What will happen when the user locks the machine ?
>>> Will he lose the tickets ?
>>>
>>> Based on my experiment, when the user locks the
>>> machine, and then unlocks it, AS-REQ and TGS-REQ are
>>> reinitiated (recorded in the log file of KDC).
>>> Logically, this means that klist will show new TGT and
>>> new session ticket.
>>>
>>> However, my observation shows that the session ticket
>>> with the win2k machine is the initial ticket (before
>>> locking the machine) !! The TGT is a new one. If the
>>> TGS-REQ is negotiated with the KDC, what happens with
>>> the new session ticket ? why can't I see it with klist
>>> ?
>>>
>>> Another doubt is about the logon process in windows
>>> machine. Does the user negotiate a KDC_AP_REQ with the
>>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>> From the windows 2000 white paper, it seems that only
>>> AS-REQ and TGS-REQ are required for a user to logs in
>>> into the windows machine...
>>>
>>> Hope somebody can help me to clear my doubts
>>.
>>
>.
>
Anonymous
a b 8 Security
July 2, 2004 2:06:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I agree and that is the functionality you use if you tell the client to not
reverify domain ccredentials on unlock. Unfortunately I know that there is an
entry for this, I don't know what the specific entry is. If youpoke around in
your local security policy you may find it. If you can't find it after looking,
let me know and I will see if I can find it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



christy wrote:
> Hi Joe,
>
> If the machine wants to do a
> verification of password only, it can simply compare the
> hash of the
> password entered by the user when he wants to unlock the
> machine with
> the cached of the hash password that has been saved before
> during the
> login process right ?
> In this way, there is no need to consult the KDC...
>
> What do you think ?
>
>
>>-----Original Message-----
>>You mean that the windows client simply sends AS-REQ and
>>TGS-REQ to MIT KDC just to verify the password ? And in
>>this case the TGT and ticket that it has retained
>>previously aren't destroyed ? I did notice that the TGT is
>>renewed. So, I can set the registry not to renew the TGT ?
>>
>>Thank you for your reply !
>>
>>
>>>-----Original Message-----
>>>Most likely the machine is simply doing a live verify of
>>
>>the password, it isn't
>>
>>>querying the KDC to get a new TGT for use by the machine,
>>
>>just making sure the
>>
>>>person typing the password to unlock the machine is valid
>>
>>and nothing has
>>
>>>happened to that ID in the meanwhile since it was locked.
>>
>>This happens against
>>
>>>Windows Domains as well. I believe there is a registry
>>
>>change that can be made
>>
>>>that will tell the client to instead use cached info.
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>www.joeware.net
>>>
>>>
>>>
>>>christy wrote:
>>>
>>>>Hello,
>>>>
>>>>I have a win2k machine which is a member of MIT Realm.
>>>>A user who has an account in the MIT Realm logs on
>>>>using the win2k machine.
>>>>
>>>>Using klist, I can see there are two tickets:
>>>>- 1 TGT, with the MIT KDC
>>>>- 1 session ticket with the win2k machine
>>>>
>>>>What will happen when the user locks the machine ?
>>>>Will he lose the tickets ?
>>>>
>>>>Based on my experiment, when the user locks the
>>>>machine, and then unlocks it, AS-REQ and TGS-REQ are
>>>>reinitiated (recorded in the log file of KDC).
>>>>Logically, this means that klist will show new TGT and
>>>>new session ticket.
>>>>
>>>>However, my observation shows that the session ticket
>>>>with the win2k machine is the initial ticket (before
>>>>locking the machine) !! The TGT is a new one. If the
>>>>TGS-REQ is negotiated with the KDC, what happens with
>>>>the new session ticket ? why can't I see it with klist
>>>>?
>>>>
>>>>Another doubt is about the logon process in windows
>>>>machine. Does the user negotiate a KDC_AP_REQ with the
>>>>windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>>>From the windows 2000 white paper, it seems that only
>>>>AS-REQ and TGS-REQ are required for a user to logs in
>>>>into the windows machine...
>>>>
>>>>Hope somebody can help me to clear my doubts
>>>
>>>.
>>>
>>
>>.
>>
!