Kerberos cached ticket on windows machine not regenerated after user unlock

不打扰是莪最后的温柔 提交于 2019-12-20 07:58:47

问题


I have a java server and client applications. These applications are working on windows machines. Client login on server using kerberos authentication. It's implemented using jgssapi.

At first the client retrieve stored cached tgt ticket from the system to generate token from kdc. The problem is - after locking user session in windows (lock screen or change a user) there's no cached tgt tickets in system (checked by C:\Windows\System32\klist.exe). And as I understand I just can get them by log off/log on user on the computer.

This problem happened to me at customer machines. After locking there's empty list of cached tickets.

It's not reproduced at my office (clients with windows 7, active directory server on win server 2008). After locking I always have NEW REGENERATED cached tgt tickets on machine (not from work before locking, but they were generated again after unlocking). There's no special GPO set for this behavior (question about using caching tickets from previous user session Kerboros cached ticket deleted after using Windows lock screen).

So I don't understand why the system do not regenerate cached tgt after unlocking? How to do it?

I found the similar question here https://social.technet.microsoft.com/Forums/ie/en-US/be5ebc3b-d915-4acb-a9ae-67c61ee03b97/service-tickets-kerberos-purged-on-ctrlaltdel?forum=winserverDS&prof=required One of the answers is "First of all have a look at what you have with klist and then lock and unlock your screen. If you have a connectino to the DC you will get a service ticket to your local host and the KDC and the TGT , if you dont have a connection you will have nothing."

The connection to AD is successful. I can ping it. I can get information connecting using AD-explorer. Or the connection to the DC is not the same?

Thanks.


回答1:


JGSS and SSPI don't play well together. You either user JGSS only and start using SSPI via JNA.



来源:https://stackoverflow.com/questions/51203494/kerberos-cached-ticket-on-windows-machine-not-regenerated-after-user-unlock

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!