Allen, Thanks for you response. 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1 hour). But, its not consistant. 2. If I leave my desktop idle for 10 mins, out corporate policy locks the desktop, but it doesn't create a new ticket when I unlock it. Not sure if that's controlled by GPO. 3. For sure it creates a new TGT or renews the TGT when I manually lock and unlock.
Next time when this happens I will run the klist and check the ticket EndTime. I was able to confirmed that, if the server is IIS it switch to NTLM on this scenario, where as mod_auth_kerb doesn't support NTLM. Actually we are seeing the same sympotms as mentioned in the KB article. http://support.microsoft.com/kb/885887 But the DLL version I have here is 5.1.2600.2698. Which is higher than whats mentioned on the article. --Sriram -----Original Message----- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Monday, April 16, 2007 4:56 PM To: Gopalan, Sriram Cc: kerberos@mit.edu Subject: Re: Mod_auth_kerb and Windows XP SP2 > > On the kerbtray I can see a valid ticket (non-expired). > > If the user locks the desktop(ctrl-alt-del) and unlocks it its > > starts working fine again. The TGT is expiring. TGT tickets have a "cumulative ticket life" that is limited by ticket renewal policy. When it expires the secret key is required to get a new one (e.g. the password via ctrl-alt-del). Look at the Renew Until field in kerbtray. Note that kerbtray does not update automatically. You must close it and relaunch it for it to update the information. I think you'll find that the Renew Until time is about 2 days. By default Windows will lock the desktop after a short time of inactivity so you're seeing this problem because you have somehow bypassed that policy. Or you have been working for two days straight in which case you have bigger problems than Kerberos ticket renewal policies - you need a new employer ;-) Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
