What happens to TGT and tickets when user locks the windowsmachine

Lara Adianto m1r4cle_26 at yahoo.com
Sun Jul 4 22:57:55 EDT 2004

Thank you for the replies guys !

So in summary, windows will validate the password
entered by the user against the hash password, and
only if this is not successful then it will sends


Both ways (validation against hash password and
validation with KDC) are done at the same time ?

I still don't understand why the TGT in my windows
machine is replaced with a new one from AS-REP while
the session ticket is not replaced....

--- "Richard B. Ward" <richardw at windows.microsoft.com>
> Once you log on to a windows box, the TGTs are
> cached, in memory, in the
> context of the LSASS process.  The tickets are
> nominally available for
> use by any process running as you, tracked by the
> logon session.  They
> are not tossed until you logoff; they are replaced
> as required by the
> lifespan and other considerations.  Service tickets
> are cached likewise,
> although they can be tossed more aggressively.
> When you lock the windowstation and attempt an
> unlock, two separate
> paths can take place.  First, the common case, we
> validate your password
> against an in-memory hash of your logon password. 
> If that succeeds,
> then we let the user back into the system, but in
> the background, we do
> a real logon against the KDC for the user.  This
> lets us get a valid
> audit that the unlock took place.  If the password
> doesn't work against
> the in-memory hash, then we try a logon against the
> KDC with the new
> password.  If that works, then the user has changed
> the password from a
> different machine, and we do our best to adapt.
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Jeffrey Altman
> Sent: Friday, July 02, 2004 10:58 AM
> To: kerberos at MIT.EDU
> Subject: Re: What happens to TGT and tickets when
> user locks the
> windowsmachine
> Nothing should happen to the tickets.
> When the user logs back in, Windows should
> re-authenticate the user to
> the KDC and therefore will obtain a new TGT and a
> host ticket for the
> local machine.
> Lara Adianto wrote:
> > Hello,
> > 
> > I have a win2k machine which is a member of MIT
> Realm.
> > A user who has an account in the MIT Realm logs on
> using the win2k 
> > machine.
> > 
> > Using klist, I can see there are two tickets:
> > - 1 TGT, with the MIT KDC
> > - 1 session ticket with the win2k machine
> > 
> > What will happen when the user locks the machine ?
> > Will he lose the tickets ?
> > 
> > Based on my experiment, when the user locks the
> machine, and then 
> > unlocks it, AS-REQ and TGS-REQ are reinitiated
> (recorded in the log 
> > file of KDC).
> > Logically, this means that klist will show new TGT
> and new session 
> > ticket.
> > 
> > However, my observation shows that the session
> ticket with the win2k 
> > machine is the initial ticket (before locking the
> machine) !! The TGT 
> > is a new one. If the TGS-REQ is negotiated with
> the KDC, what happens 
> > with the new session ticket ? why can't I see it
> with klist ?
> > 
> > Another doubt is about the logon process in
> windows machine. Does the 
> > user negotiate a KDC_AP_REQ with the windows
> machine upon AS-REQ and 
> > TGS-REQ with the KDC ?
> >>From the windows 2000 white paper, it seems that
> only
> > AS-REQ and TGS-REQ are required for a user to logs
> in into the windows
> > machine...
> > 
> > Hope somebody can help me to clear my doubts, lara
> > 
> > =====
> >
> > -------------- La vie, voyez-vous, ca n'est jamais
> si bon ni si 
> > mauvais qu'on croit
> >
> > - Guy de Maupassant -
> >
> > --------------
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com
> ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos
> > 
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!

More information about the Kerberos mailing list