Re: Looking for details on how machine password aging works.

From: Glenn LeCheminant (the.only_at_gmail.com)
Date: 10/16/04 

Date: Sat, 16 Oct 2004 01:43:00 -0700

Bill,

Machine account passwords do not expire as user account passwords do.
Machines automatically update their passwords every 7 days, but this is not
required.
Domain controllers keep a history of one password. This provides for
replication latency.

You may be thinking of the secure channel that is established between client
and domain controller.
This channel provides RPC encryption as I understand it and is not a
kerberos ticket. Unfortunately I was unable to find much documentation on
it. e.g. does it expire?

Now machine accounts can and do get kerberos tickets to gain access to
network resources. e.g. applying group policies requires a ticket. These
tickets will automatically be renewed in the background. If it fails to
renew, that in and of itself will not prevent a user from using or renewing
her ticket.

Hope that was helpful. Wish I knew more on the secure channel stuff.

Glenn

"Bill" <bill@barfcoswill.com> wrote in message
news:eV9CEGysEHA.1276@TK2MSFTNGP12.phx.gbl...
> I'm hoping someone either knows, or can point me to a reference on this. I
> need to understand what happens in the scenario below.
>
> A user gets his Kerberos ticket and starts accessing files on a member
> server.
> That member server's machine account password expires.
> The member server initiates a password change with its DC.
> Before the password change gets propagated back to the KDC that the user
got
> his user ticket from, the user makes another request to the server. At
this
> point, his ticket will contain wrong information about that member server.
>
> In the case outlined, what will the user experience? Does he get a request
> to reauthenticate? If so, what does the client do to make sure the new
> connection succeeds?
>
> Does the member server go and get a fresh ticket from a different DC? If
so,
> what is the mechanism to tell it to do so?
>
> Any insights thankfully accepted.
>
>
>
>

Relevant Pages

  • Re: Looking for details on how machine password aging works.
    ... I should point-out that Windows 2000 Computers change their password ... > Machine account passwords do not expire as user account passwords do. ... e.g. applying group policies requires a ticket. ... his ticket will contain wrong information about that member server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Passport expires Dec 2006....
    ... Your I-94 will likely expire at the same time as the passports. ... that time (if you plan to leave the country by that time, ... The round trip ticket requirement only applies to people using the visa ...
    (misc.immigration.usa)
  • Re: Validating Users With Expired Passwords
    ... You haven't said what Kerberos server you're using, ... the username, old password, and new password, and then attempt a password ... ticket, but getting a ticket for a service whose secret key you know, so ... the password expire in the first place. ...
    (comp.protocols.kerberos)
  • Re: newbie question on forms auth with custom data
    ... and so it must expire when the ticket does - so I was ... custom data in theauthticket and am very confused about how to do so. ... course the session and tickets don't expire at the same time...argh. ... and the prinicpal and encrypt/decrypting cookies and my head starts to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Looking for details on how machine password aging works.
    ... A user gets his Kerberos ticket and starts accessing files on a member ... The member server initiates a password change with its DC. ... the user makes another request to the server. ...
    (microsoft.public.windows.server.active_directory)