[37219] in Kerberos
KRB_AP_ERR_TKT_EXPIRED during last 120 seconds of ticket lifetime
daemon@ATHENA.MIT.EDU (Robbert Eggermont)
Sat Sep 5 05:09:52 2015
To: kerberos@mit.edu
From: Robbert Eggermont <R.Eggermont@tudelft.nl>
Message-ID: <55EAB150.3030906@tudelft.nl>
Date: Sat, 5 Sep 2015 11:09:36 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi all,
After we updated to Windows 2012R2, we noticed that the KDC already
returns KRB_AP_ERR_TKT_EXPIRED during the last 120 seconds of ticket
lifetime, which can cause problems with authentication and ticket renewal.
Before, tickets were accepted right up to the end of the ticket
lifetime. This seems the intended behavior according to the Kerberos 5
specification (RFC 1510): "if the current [local server] time is later
than end time by more than the allowable clock skew, the
KRB_AP_ERR_TKT_EXPIRED error is returned."
We contacted Microsoft about this behavior, since KB2877460
(https://support.microsoft.com/en-us/kb/2877460) seems to acknowledge
that returning KRB_AP_ERR_TKT_EXPIRED early can cause issues, and that
an hotfix was released to fixed this. Unfortunately, according to
Microsoft, Windows 2012R2 already includes this fix.
I was wondering if anybody has an idea why the Windows 2012R2 KDC would
want to return KRB_AP_ERR_TKT_EXPIRED before the actual end time, and
whether this behavior is correct or not?
--
Robbert Eggermont Intelligent Systems
R.Eggermont@tudelft.nl Electr.Eng., Mathematics & Comp.Science
+31 15 27 83234 Delft University of Technology
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
