Re: Kerberos Tickets Renewal

Tech-Archive recommends: Fix windows errors by optimizing your registry

On Mar 22, 7:21 pm, Domon <Domon.3ph...@xxxxxxxxxxxxx> wrote:
Hi Meinolf

I see. As the service is not restarted, it will still use back the old
Password "PasswordA". When the tickets are to be renewed, it will use
the old password. This will result in a bad password error as the new
password "PAsswordB" is set in the Active Directory. Thus, the tickets
will not be renewed and results in the service not been able to work. Am
I having the correct concept? Please correct me if I'm wrong.

Thanks

--
Domon
------------------------------------------------------------------------
Domon's Profile:http://forums.techarena.in/members/48096.htm
View this thread:http://forums.techarena.in/active-directory/1143846.htm

http://forums.techarena.in

The docs cover this pretty well:

TGT Renewal with Windows XP and Windows 2000 with SP2 or Later
The TGT has a default lifetime of ten hours, but can be renewed for
up to seven days (by default). The renewal does not require
credentials. The renewal will only occur if the TGT is used within
five minutes of its expiration. Otherwise, the TGT will expire and
must be refreshed (which requires credentials).

TGT Renewal with Windows Server 2003
The TGT has a default lifetime of ten hours, but can be renewed for
up to seven days (by default). The renewal does not require
credentials. The renewal occurs through the use of a scavenger thread
on the machine. If for some reason the TGT was not able to be renewed
it will expire and must be refreshed (which requires credentials).

In Windows XP and Windows 2000 with SP2 or later, TGT renewal is
triggered when the TGT is used within 5 minutes of its expiration.

In Windows Server 2003, periodically the system will automatically
renew expiring TGTs.

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/kerberos.mspx

So, as long as the TGT can be renewed, it will use the previous TGT
which means that it won't use the password. After you change the
service account password, it could therefore still work for up to
seven days using the old TGT. The new password would be used as soon
as a new TGT is requested (refresh).

HTH,
Dave
.

Relevant Pages

  • Re: will the TGT destroyed if user locks windows
    ... TGS-REQ to MIT KDC just to verify the password? ... I did notice that the TGT is ... >Windows Domains as well. ... my observation shows that the session ticket ...
    (microsoft.public.win2000.security)
  • Re: 1030 / 40961 / 673 on DC - MVP wanted
    ... You cannot access network resources after you try to log on to a Windows XP ... User-specific Kerberos Ticket-Granting Tickets (TGT) are not renewed. ... Failure Code 0X20 (Ticket Expired?) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID 1030, 40961 and 673 on DC
    ... You cannot access network resources after you try to log on to a Windows XP ... one or more of the following symptoms: ... User-specific Kerberos Ticket-Granting Tickets (TGT) are not renewed. ... Failure Code 0X20 (Ticket Expired?) ...
    (microsoft.public.windows.server.general)
  • Re: Event ID 1030, 40961 and 673 on DC
    ... You cannot access network resources after you try to log on to a Windows XP ... one or more of the following symptoms: ... User-specific Kerberos Ticket-Granting Tickets (TGT) are not renewed. ... Failure Code 0X20 (Ticket Expired?) ...
    (microsoft.public.windowsxp.general)
  • Re: will the TGT destroyed if user locks windows
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... there is no need to consult the KDC... ... I did notice that the TGT is ... >>>>- 1 session ticket with the win2k machine ...
    (microsoft.public.win2000.security)