Are you talking a login using the windows gina and typing in [EMAIL PROTECTED] Which then uses trust between MIT.REALM and ACTIVEDIRECTORY.REALM?
When I run that, I don't have the problem. I can lock my XP box fine, come back and I still have my tgt for mit.realm and the cross realm ticket for activedorectory.realm. further requests for tickets work fine. -dan > -----Original Message----- > From: Brian Davidson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 13, 2004 11:43 AM > To: [EMAIL PROTECTED] > Subject: MIT/Win2k/XP Kerberos trust relationship bug? > > Hi, > > I saw this question in the archives (May 4, 2002), but with no > responses. We're running into this issue, and I was wondering if there > was any workaround [yet]? > > The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts > the MIT KDC. > > The problem: > 1. From an XP workstation which a member of the AD, authenticate > against the MIT realm > 2. Lock the workstation > 3. Unlock the workstation > > At this point, you've lost virtually all of your tickets, and you can't > access resources in the AD. I haven't found any patches, but maybe I > don't know the secret code word to put into the Microsoft > Knowledgebase, or Google. > > Based on packet traces, I'm convinced it's a Windows 2000/XP bug. It's > the workstation which forgets its tickets, and then neglects to ask for > new ones. > > If there isn't a fix available, I guess I'll write a GINA which acts as > a pass-through to the default GINA for all GINA functions except for > WlxWkstaLockedSAS(). I'm assuming it's dumping the tickets when > WlxWkstaLockedSAS acquires a new TGT from the MIT realm... > > Thanks for any help, > > Brian Davidson > George Mason University > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
