No kerberos tgt ticket after unlock screen

鴻明 劉 1 Reputation point
2022-06-28T08:23:25.38+00:00

I have an application which need kerberos tgt ticket, and I need that client computer contains tgt when user is logon.
(Client: WIN10, Server: Windows Server 2012)

After the user logons the computer, we can see the ticket by using klist command.
215666-normal-tgt.png

You can see that the client caches 3 tickets after the user logon.
However, when I try to lock screen and logon again, all the tickets disapear and regenerate no one.
215712-unlock-tgt.png

Using Windows Network Monitor, we can find that the behavior of unlocking screen and logon is the same.
They all go through kerberos protocol AS request->AS response->TGS request->TGS response......
But in the end, client computer doesn't store tgt after unlocking screen. It's so weird.
215569-unlock-login.png

I have searched for many forum about this question but still have no idea why Microsoft designed this mechanism.
Can someone expalain it and tell me how to auto-regenerate tgt after unlock screen?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,642 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
1,941 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Gary Reynolds 8,811 Reputation points
    2022-06-28T09:07:22.37+00:00

    Hi @鴻明 劉 ,

    This network traffic is normal for a TGT exchange, the client will first try and connect without authentication and pre-authentation required response is sent from the server with the accepted authentication methods, client then tries again with a supported authentication method.

    You don't really need to have the TGT ticket cached before the user accesses the service. If the service is setup to use Kerberos, the client will request the required TGT and TGS tickets. You just need to make sure you have the correct SPN configured on the service.

    Here are some examples of SPNs https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx

    Gary.

    No comments

  2. 鴻明 劉 1 Reputation point
    2022-06-29T01:56:24.07+00:00

    Hi @Gary Reynolds ,

    For my application, I will trigger something when the client goes through kerberos AS request,
    so the different behavior of unlock screen and logon bothers me a lot.
    I think your answer haven't solved my question but still thank for your reply, and here I list a real case example.

    For example:
    (1) If user logoff after he unlocks screen, client has no TGT
    He will go through whole the kerberos event (as->tgs), so my application will trigger. But this is not what I want.
    (2) If user logoff without unlocking screen, client holds TGT
    He will go through kerberos event (tgs), and my application will not trigger. This is the correct operation I want.

    As my understanding, AS response ticket from server contains TGT ticket(Protocol Description from Wiki), and client will cache the TGT in AS response for further service.
    https://en.wikipedia.org/wiki/Kerberos_(protocol)
    User logon event will cache TGT, and unlock screen will not.(They all go through whole kerberos as -> tgt)
    This is the weird point I think, and I want to know the reason.


  3. Limitless Technology 37,351 Reputation points
    2022-06-30T13:22:11.427+00:00

    Hi there,

    This is by design. There is no way to prevent the Kerberos service ticket(s) from being purged after a screen lock. As soon as you access a new Kerberos-protected resource again, a new authentication procedure takes place and new tickets will appear.

    It is important to understand a distinction between Kerberos tickets - there are two types - the ticket-granting ticket (TGT) and the service ticket (ST). You can ensure that the Kerberos TGT remains in the client cache and does not clear out after a screen lock if your computer is participating in an Active Directory domain and you make what is known as a Group Policy change in order to change the behaviour.

    Hope this resolves your Query !!

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    If the reply is helpful, please Upvote and Accept it as an answer

    No comments