这里有答案
Can the lifetime be longer than the renewal time?
Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.
更新Ticket的时候用户Hash来自哪里?
答案:
交互式登陆的用户密码Hash:
The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy of the hashed password is destroyed when the user's logon session is destroyed.
服务和电脑HASH
Hashed passwords for services and computers are handled differently than above. As in Windows NT, hashed passwords are stored in a secure area of the computer's registry. The registry is also used to store hashed passwords for user accounts on the local system, but local accounts are used only for access to computers in standalone mode, never for network access.
缺省值
- Maximum lifetime for user ticket: 10 hours
- Maximum lifetime for user ticket renewal: 7 days
Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.
Any side effects if the lifetime is the same as renewal time?
It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:
- If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
- If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
- If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
- If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired