On 05/12/2016 09:48 AM, Todd Grayson wrote: > When a service re-authenticates to the KDC, effectively getting a new TGT, > are the service tickets related to previous instance of the TGT for that > service, no longer valid?
No and yes. From a protocol perspective, service tickets remain valid until they expire, regardless of what TGTs have been obtained since they were issued. >From an implementation perspective (at least in MIT krb5 and Heimdal), tickets are usually stored in a credential cache. If the TGT is replaced or renewed, the credential cache is restarted from scratch, discarding any pre-existing service tickets. There is no difference between re-authentication and renewal in this respect. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos