Fictive scenario: A User logs in and get a Kerberos TGT with a default Lifetime of 10 hours. After 5 hours the user get disabled/locked on the directory controller. What happens then? Can the user despite that he is disabled/locked access resources (because he has a valid ticket)? Or do I understand something wrong?
Asked
Active
Viewed 171 times
1 Answers
1
No, he can't. He has to request a service ticket and the KDC will deny that. You can try that by providing a negative password tree times or lock your workstation and try to unlock. AD will lock your account and you won't be able to withdraw new service tickets. Happened to me today with a Spring webapp test setup.
Michael-O
- 18,123
- 6
- 55
- 121
-
so when my understanding is correct, everytime the user wants to connect to a site, he also has to get an additional service ticket. Is this ticket per session or per call? thanks. – murratore Feb 03 '12 at 13:10
-
This ticket is stored in a credentials cache until it expires. You don't need to re-request it. So per session. – Michael-O Feb 03 '12 at 13:34