1

I am using kerberos/spnego authentication with spring security to authenticate users from Active directory services, client is windows 7. I have a concern with the kerberos ticket renewal process. I understand the ticket is valid for 10 hrs, what will happen when a user launches and application which uses kerboros ticket and the ticket present on his machine has expired, will the browser automatically request a new ticket to the AD server or the authentication fail?

Michael-O
  • 18,123
  • 6
  • 55
  • 121
java1977
  • 398
  • 4
  • 12
  • 25

1 Answers1

1

No, he won't be able to request a service ticket anyway. It is highly likely that Windows will prompt for your password again. You cannot request new service tickets with an expired TGT.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • thanks Michael, that's interesting. another thing I noticed is when you lock and unlock your client machine all the kerberos tickets gets destroyed and when the user send a new request to the web server a ticket is reissued with 10 hrs validity. – java1977 Aug 08 '13 at 13:52
  • Yes, that is default behavior which is smart because you obviously will never run in an expired ticket. Unlock means a `kinit`. – Michael-O Aug 08 '13 at 14:11
  • 1
    fantastic, you sound to be a Guru in Kerberos authentication development :) – java1977 Aug 08 '13 at 14:35
  • Thanks, I have gained some experience in the last couple of years, especially with Java and Kerberos. I have written a SPNEGO component for Spring Security which is way better than the faulty default one. – Michael-O Aug 09 '13 at 06:10