[16539] in Kerberos_V5_Development
Re: Issues with Active Directory <-> MIT x-realm key replacement
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Dec 9 01:15:54 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@MIT.EDU
Message-ID: <4D0073FE.3070202@secure-endpoints.com>
Date: Thu, 09 Dec 2010 01:15:26 -0500
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: srinivas.cheruku@gmail.com
In-Reply-To: <4d005a53.d17a0e0a.5100.3091@mx.google.com>
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0830517567=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0830517567==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig5E9FD2420ADB9EA1E4A476BD"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5E9FD2420ADB9EA1E4A476BD
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/8/2010 11:25 PM, Srinivas Cheruku wrote:
> What about a case when MIT client trying to access the AD services afte=
r the cross-realm keys are changed? For e.g. the MIT client would have se=
rvice ticket krbtgt/AD@MIT encrypted with the older key and this ticket w=
hen presented to AD will not be able to decrypt this ticket as I believe =
AD doesn't store old cross-realm passwords. Do you have any way to mitiga=
te this, other than MIT users destroying the cache or waiting for the cro=
ss-realm ticket to expire?
>=20
> Thanks,
> Srini
Since we can't modify Active Directory all that can be done is to reduce
the maximum lifetime of the krbtgt/AD@MIT service principal from its
normal production value (10 hours default) to ten minutes over the
preceding maximum lifetime. This ensures that the outage window will
not exceed ten minutes.
After the key replacement is complete the maximum lifetime can be
restored to its normal production value.
Jeffrey Altman
--------------enig5E9FD2420ADB9EA1E4A476BD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJNAHQAAAoJENxm1CNJffh4E68H/1KrC2f+OPJQepnrlHSz18VD
bQoas47oxLS/MEQhjJzMQ65aBrwrpPNmgCQmUwl+kOUjVs7I0fsNVxCULrmvsk2+
VeQgSOu1UcqtzqQsJyvB/Lf79hdI96PJfvVp61CJHmmNKGx7Os5Pp4b9AMSPVKku
zq792zwZkxgHd5zbxWtA7V/yleUKks+i1pQo+nIObjYgX4RMowqZ4244eAAhpXlj
Uf1a3vFgOHuFUbMNgJb1CFjP/p6Mn3ju5ZWX4MQBFEPxK+O+uR0x82/31mng2b+1
bNRs6tq9fVAzHheTtyRXGoiciuy9H8CHn494wm8kGkRGL4fBcFUP8BfDXRS1mMc=
=tEaJ
-----END PGP SIGNATURE-----
--------------enig5E9FD2420ADB9EA1E4A476BD--
--===============0830517567==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0830517567==--
