I know... should be renewed after 10 hours if I remember correctly. It is a remote site I'll be visiting next week and will give a good look at the logs when it happens. When I actually think of it, logging in with cached creds does not use Kerberos provider, so the user should not have any tickets.
Any idea if sidHistory is also obtained from the ticket's PAC the same way as SIDs of security groups the user is member of ? +Guy On Tue, 2004-08-24 at 00:03, Mulnick, Al wrote: > Kerb tickets have a lifetime, but not sure that's your issue necessarily. > How's your name resolution working? Anything in the event logs when this > occurs? Especially the security logs on the clients/dc's/resources being > accessed? > > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Monday, August 23, 2004 4:48 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > > I was too lazy to tell the long story that made me speculate about TGTs, so > I'll try to explain the reason for asking: > > We have 2 W2K3 forests with Kerberos transitive trust. > > Forest corp.com has 3 child domains respectively: > emea.company.com > amer.company.com > ap.company.com > > Second forest (ad.devision.company.com) has no children. > We have users migrating from NT domains to one of the corp AD child domains > (emea\amer\ap). > > After the migration, when users logon to XP computers in > ad.division.company.com domain with EMEA\username cached credentials and > than reconnect to the network, sometimes (after they work for a while) they > get a popup in system tray saying something like "XP needs your > credentials". > > Usually this would be caused by changing the user password from another > machine or account lockout replicated from another DC, but in our case this > is the only machine the user logs on to and there are no account lockouts. > When the same user logs on with UPN ([EMAIL PROTECTED]), we have not > yet seen this to repeat itself. > So I was wondering whether UPN logons enable caching of TGTs and > sAMAccountName logons are different in some way from UPN logons. > > Hope I managed to be clear enough ;) > > Cheers, > Guy > > > > I don't know if the kerberos ticket is cached or not. (I suspect > > not.) When a machine reconnects to the network and you attempt to > > access a network resource, the resource will ask for you ticket. If > > you don't have one, or if it is out of date, the client will request a > > new kerberos ticket and then be authenticated to the resource. > > > > Denny > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > > Teverovsky > > > Sent: Friday, August 20, 2004 8:48 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] By design or configurable ? > > > > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > > replication from that DC stops till the security log is cleared and > > > the box is rebooted. > > > The interesting thing is that after the security logs become full > > > (while the box is online) the replication continues to work till the > > > box is rebooted with full log. > > > > > > So the question is whether this can be prevented (we do have a > > > routine which takes care of security logs archiving, but it failed > > > on one of the DCs and I would like to prevent the replication from > > > breaking again). > > > > > > And another OT question: > > > When logging on to XP with cached credentials, is the Kerberos > > > ticket cached too ? And if yes, what happens when the ticket expires > > > and the box is reconnected to the network: will it seamlessly try to > > > renew the ticked ? > > > > > > Thanks, > > > Guy > > > > > > -- > > > Smith & Wesson - the original point and click interface > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
