will the TGT destroyed if user locks windows

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I have a win2k machine which is a member of MIT Realm.
A user who has an account in the MIT Realm logs on
using the win2k machine.

Using klist, I can see there are two tickets:
- 1 TGT, with the MIT KDC
- 1 session ticket with the win2k machine

What will happen when the user locks the machine ?
Will he lose the tickets ?

Based on my experiment, when the user locks the
machine, and then unlocks it, AS-REQ and TGS-REQ are
reinitiated (recorded in the log file of KDC).
Logically, this means that klist will show new TGT and
new session ticket.

However, my observation shows that the session ticket
with the win2k machine is the initial ticket (before
locking the machine) !! The TGT is a new one. If the
TGS-REQ is negotiated with the KDC, what happens with
the new session ticket ? why can't I see it with klist
?

Another doubt is about the logon process in windows
machine. Does the user negotiate a KDC_AP_REQ with the
windows machine upon AS-REQ and TGS-REQ with the KDC ?
From the windows 2000 white paper, it seems that only
AS-REQ and TGS-REQ are required for a user to logs in
into the windows machine...

Hope somebody can help me to clear my doubts
4 answers Last reply
More about will destroyed user locks windows
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Most likely the machine is simply doing a live verify of the password, it isn't
    querying the KDC to get a new TGT for use by the machine, just making sure the
    person typing the password to unlock the machine is valid and nothing has
    happened to that ID in the meanwhile since it was locked. This happens against
    Windows Domains as well. I believe there is a registry change that can be made
    that will tell the client to instead use cached info.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    christy wrote:
    > Hello,
    >
    > I have a win2k machine which is a member of MIT Realm.
    > A user who has an account in the MIT Realm logs on
    > using the win2k machine.
    >
    > Using klist, I can see there are two tickets:
    > - 1 TGT, with the MIT KDC
    > - 1 session ticket with the win2k machine
    >
    > What will happen when the user locks the machine ?
    > Will he lose the tickets ?
    >
    > Based on my experiment, when the user locks the
    > machine, and then unlocks it, AS-REQ and TGS-REQ are
    > reinitiated (recorded in the log file of KDC).
    > Logically, this means that klist will show new TGT and
    > new session ticket.
    >
    > However, my observation shows that the session ticket
    > with the win2k machine is the initial ticket (before
    > locking the machine) !! The TGT is a new one. If the
    > TGS-REQ is negotiated with the KDC, what happens with
    > the new session ticket ? why can't I see it with klist
    > ?
    >
    > Another doubt is about the logon process in windows
    > machine. Does the user negotiate a KDC_AP_REQ with the
    > windows machine upon AS-REQ and TGS-REQ with the KDC ?
    > From the windows 2000 white paper, it seems that only
    > AS-REQ and TGS-REQ are required for a user to logs in
    > into the windows machine...
    >
    > Hope somebody can help me to clear my doubts
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    You mean that the windows client simply sends AS-REQ and
    TGS-REQ to MIT KDC just to verify the password ? And in
    this case the TGT and ticket that it has retained
    previously aren't destroyed ? I did notice that the TGT is
    renewed. So, I can set the registry not to renew the TGT ?

    Thank you for your reply !

    >-----Original Message-----
    >Most likely the machine is simply doing a live verify of
    the password, it isn't
    >querying the KDC to get a new TGT for use by the machine,
    just making sure the
    >person typing the password to unlock the machine is valid
    and nothing has
    >happened to that ID in the meanwhile since it was locked.
    This happens against
    >Windows Domains as well. I believe there is a registry
    change that can be made
    >that will tell the client to instead use cached info.
    >
    >--
    >Joe Richards Microsoft MVP Windows Server Directory Services
    >www.joeware.net
    >
    >
    >
    >christy wrote:
    >> Hello,
    >>
    >> I have a win2k machine which is a member of MIT Realm.
    >> A user who has an account in the MIT Realm logs on
    >> using the win2k machine.
    >>
    >> Using klist, I can see there are two tickets:
    >> - 1 TGT, with the MIT KDC
    >> - 1 session ticket with the win2k machine
    >>
    >> What will happen when the user locks the machine ?
    >> Will he lose the tickets ?
    >>
    >> Based on my experiment, when the user locks the
    >> machine, and then unlocks it, AS-REQ and TGS-REQ are
    >> reinitiated (recorded in the log file of KDC).
    >> Logically, this means that klist will show new TGT and
    >> new session ticket.
    >>
    >> However, my observation shows that the session ticket
    >> with the win2k machine is the initial ticket (before
    >> locking the machine) !! The TGT is a new one. If the
    >> TGS-REQ is negotiated with the KDC, what happens with
    >> the new session ticket ? why can't I see it with klist
    >> ?
    >>
    >> Another doubt is about the logon process in windows
    >> machine. Does the user negotiate a KDC_AP_REQ with the
    >> windows machine upon AS-REQ and TGS-REQ with the KDC ?
    >> From the windows 2000 white paper, it seems that only
    >> AS-REQ and TGS-REQ are required for a user to logs in
    >> into the windows machine...
    >>
    >> Hope somebody can help me to clear my doubts
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Joe,

    If the machine wants to do a
    verification of password only, it can simply compare the
    hash of the
    password entered by the user when he wants to unlock the
    machine with
    the cached of the hash password that has been saved before
    during the
    login process right ?
    In this way, there is no need to consult the KDC...

    What do you think ?

    >-----Original Message-----
    >You mean that the windows client simply sends AS-REQ and
    >TGS-REQ to MIT KDC just to verify the password ? And in
    >this case the TGT and ticket that it has retained
    >previously aren't destroyed ? I did notice that the TGT is
    >renewed. So, I can set the registry not to renew the TGT ?
    >
    >Thank you for your reply !
    >
    >>-----Original Message-----
    >>Most likely the machine is simply doing a live verify of
    >the password, it isn't
    >>querying the KDC to get a new TGT for use by the machine,
    >just making sure the
    >>person typing the password to unlock the machine is valid
    >and nothing has
    >>happened to that ID in the meanwhile since it was locked.
    >This happens against
    >>Windows Domains as well. I believe there is a registry
    >change that can be made
    >>that will tell the client to instead use cached info.
    >>
    >>--
    >>Joe Richards Microsoft MVP Windows Server Directory Services
    >>www.joeware.net
    >>
    >>
    >>
    >>christy wrote:
    >>> Hello,
    >>>
    >>> I have a win2k machine which is a member of MIT Realm.
    >>> A user who has an account in the MIT Realm logs on
    >>> using the win2k machine.
    >>>
    >>> Using klist, I can see there are two tickets:
    >>> - 1 TGT, with the MIT KDC
    >>> - 1 session ticket with the win2k machine
    >>>
    >>> What will happen when the user locks the machine ?
    >>> Will he lose the tickets ?
    >>>
    >>> Based on my experiment, when the user locks the
    >>> machine, and then unlocks it, AS-REQ and TGS-REQ are
    >>> reinitiated (recorded in the log file of KDC).
    >>> Logically, this means that klist will show new TGT and
    >>> new session ticket.
    >>>
    >>> However, my observation shows that the session ticket
    >>> with the win2k machine is the initial ticket (before
    >>> locking the machine) !! The TGT is a new one. If the
    >>> TGS-REQ is negotiated with the KDC, what happens with
    >>> the new session ticket ? why can't I see it with klist
    >>> ?
    >>>
    >>> Another doubt is about the logon process in windows
    >>> machine. Does the user negotiate a KDC_AP_REQ with the
    >>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
    >>> From the windows 2000 white paper, it seems that only
    >>> AS-REQ and TGS-REQ are required for a user to logs in
    >>> into the windows machine...
    >>>
    >>> Hope somebody can help me to clear my doubts
    >>.
    >>
    >.
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I agree and that is the functionality you use if you tell the client to not
    reverify domain ccredentials on unlock. Unfortunately I know that there is an
    entry for this, I don't know what the specific entry is. If youpoke around in
    your local security policy you may find it. If you can't find it after looking,
    let me know and I will see if I can find it.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    christy wrote:
    > Hi Joe,
    >
    > If the machine wants to do a
    > verification of password only, it can simply compare the
    > hash of the
    > password entered by the user when he wants to unlock the
    > machine with
    > the cached of the hash password that has been saved before
    > during the
    > login process right ?
    > In this way, there is no need to consult the KDC...
    >
    > What do you think ?
    >
    >
    >>-----Original Message-----
    >>You mean that the windows client simply sends AS-REQ and
    >>TGS-REQ to MIT KDC just to verify the password ? And in
    >>this case the TGT and ticket that it has retained
    >>previously aren't destroyed ? I did notice that the TGT is
    >>renewed. So, I can set the registry not to renew the TGT ?
    >>
    >>Thank you for your reply !
    >>
    >>
    >>>-----Original Message-----
    >>>Most likely the machine is simply doing a live verify of
    >>
    >>the password, it isn't
    >>
    >>>querying the KDC to get a new TGT for use by the machine,
    >>
    >>just making sure the
    >>
    >>>person typing the password to unlock the machine is valid
    >>
    >>and nothing has
    >>
    >>>happened to that ID in the meanwhile since it was locked.
    >>
    >>This happens against
    >>
    >>>Windows Domains as well. I believe there is a registry
    >>
    >>change that can be made
    >>
    >>>that will tell the client to instead use cached info.
    >>>
    >>>--
    >>>Joe Richards Microsoft MVP Windows Server Directory Services
    >>>www.joeware.net
    >>>
    >>>
    >>>
    >>>christy wrote:
    >>>
    >>>>Hello,
    >>>>
    >>>>I have a win2k machine which is a member of MIT Realm.
    >>>>A user who has an account in the MIT Realm logs on
    >>>>using the win2k machine.
    >>>>
    >>>>Using klist, I can see there are two tickets:
    >>>>- 1 TGT, with the MIT KDC
    >>>>- 1 session ticket with the win2k machine
    >>>>
    >>>>What will happen when the user locks the machine ?
    >>>>Will he lose the tickets ?
    >>>>
    >>>>Based on my experiment, when the user locks the
    >>>>machine, and then unlocks it, AS-REQ and TGS-REQ are
    >>>>reinitiated (recorded in the log file of KDC).
    >>>>Logically, this means that klist will show new TGT and
    >>>>new session ticket.
    >>>>
    >>>>However, my observation shows that the session ticket
    >>>>with the win2k machine is the initial ticket (before
    >>>>locking the machine) !! The TGT is a new one. If the
    >>>>TGS-REQ is negotiated with the KDC, what happens with
    >>>>the new session ticket ? why can't I see it with klist
    >>>>?
    >>>>
    >>>>Another doubt is about the logon process in windows
    >>>>machine. Does the user negotiate a KDC_AP_REQ with the
    >>>>windows machine upon AS-REQ and TGS-REQ with the KDC ?
    >>>>From the windows 2000 white paper, it seems that only
    >>>>AS-REQ and TGS-REQ are required for a user to logs in
    >>>>into the windows machine...
    >>>>
    >>>>Hope somebody can help me to clear my doubts
    >>>
    >>>.
    >>>
    >>
    >>.
    >>
Ask a new question

Read More

Security Microsoft Windows