How to delete a Kerberos ticket
Frank Perry
I have an app that requests data from a server. I am using Kerberos tickets
for authentication. My problem is that users of remote machines don't log
off those machines and after a number of days, the ticket granting ticket
reaches the end of its renewal period. Under Windows XP sp2 (can't go to sp3
yet), my calls to get a new ticket fail. If I can delete the ticket with
klist.exe, the program will get a new ticket and the user is authenticated.
I am trying to get the function CredDelete to remove the Kerberos ticket so
I can request a new one, but all the calls return that they can't find the
ticket (error 1168). The code looks like
LPCWSTR pwstrPrincipal = (LPCWSTR) "krbtgt/myPlace";
BOOL bCredBack = ::CredDeleteW(pwstrPrincipal,(DWORD) 1,(DWORD)0);
Any ideas what I'm doing wrong?
--
Frank Perry
LavaLeaf Software
DaveMo
wrote:
Frank,
Tickets should be automatically renewed/refreshed/reissued by the Kerb
client as long as there is connectivity with the DC/KDC. In other
words, you should never have to do what you describe. Does this occur
on a mix of client OS machines or one specific version? Also, how are
you doing authentication - which APIs - in your app?
To answer your specific question it might be that you need L"krbtgt/
myPlace" to make it a wide string.
HTH,
Dave
Frank Perry
As for why they aren't being renewed, I don't have an answer. There seems
to be an issue that XP SP3 addresses, but we can't install that for some time.
But the good news is that James Carr at Microsoft sent me a way to handle
it.
LsaCallAuthenticationPackage
see http://msdn.microsoft.com/en-us/library/aa378261(VS.85).aspx
with the following parameter:
KERB_PURGE_TKT_CACHE_REQUEST Structure
see http://msdn.microsoft.com/en-us/library/aa378104(VS.85).aspx
purges the ticket cache. It's a bit more envolved than that but that is the
key function.
Now I can purge the cache before the user gets close to the end of the
renewal period.
Thanks for the response.
--
Frank Perry
LavaLeaf Software