1

According to this TechNet article https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ Machine Accounts (Computer Objects) reset internal passwords every 30 days.

Let's assume that this server is running IIS with Kerberos SSO, so it has SPN HTTP/server.domain.com and client has cached Kerberos ticket it's using to access resources on this server.

If machine account for IIS server password resets every 30 day - would it invalidate cached Kerberos ticket on the client and prevent access until ticket expires or gets purged manually on the client using "klist purge".

Is there a workaround for this? Can IIS server force client to renew Kerberos ticket?

arainchi
  • 141
  • 4

2 Answers2

2

The IIS server will fail to decrypt the ticket, which will generate an encoded response containing an error code indicating the key is wrong. This will indicate to the client that it needs to purge and retry.

There's rarely a situation where klist purge is actually necessary.

Steve
  • 392
  • 2
  • 7
  • What kind of response indicates to the client that it's time too purge old and request new ticket? Server responding with HTTP 401 or HTTP 403 is not forcing client to that. – arainchi Jan 17 '19 at 01:44
  • It's not the HTTP error code that does it. There's an error code embedded in the WWW-Auth header that needs to be parsed on the final failed leg of the loop. – Steve Jan 17 '19 at 18:23
  • you are correct. It should respond with HTTP 401 with WWW-Authenticate: Negotiate and include encoded Kerberos error message: KRB Error: KRB5KRB_AP_ERR_MODIFIED, which forces client to request new Kerberos ticket. Thank you! – arainchi Jan 19 '19 at 06:19
0

No. Kerberos tickets aren't validated against the password of an account. That is essentially the reason why Kerberos was created, so credentials don't need to be validated on each access request. Kerberos tickets can even be created and used for accounts that don't exist.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81