I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking:
We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like "XP needs your credentials". Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy > I don't know if the kerberos ticket is cached or not. (I suspect not.) > When a machine reconnects to the network and you attempt to access a > network resource, the resource will ask for you ticket. If you don't > have one, or if it is out of date, the client will request a new > kerberos ticket and then be authenticated to the resource. > > Denny > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] By design or configurable ? > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > replication from that DC stops till the security log is > > cleared and the > > box is rebooted. > > The interesting thing is that after the security logs become > > full (while > > the box is online) the replication continues to work till the box is > > rebooted with full log. > > > > So the question is whether this can be prevented (we do have a routine > > which takes care of security logs archiving, but it failed on > > one of the > > DCs and I would like to prevent the replication from breaking again). > > > > And another OT question: > > When logging on to XP with cached credentials, is the Kerberos ticket > > cached too ? And if yes, what happens when the ticket expires and the > > box is reconnected to the network: will it seamlessly try to renew the > > ticked ? > > > > Thanks, > > Guy > > > > -- > > Smith & Wesson - the original point and click interface > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
