Announcement

Collapse
No announcement yet.

Disabling accounts after session ticket granted.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disabling accounts after session ticket granted.

    Can anyone tell me what happens when someone logs onto their PC, authenticates with DC, acquires a Kerberos session ticket and their account is then disabled.

    They won't be able to log onto any other devices they don't already have a ticket for but will they be able to use the existing ticket to carry on accessing those resources they have been granted access to?

    Bit confused.

    Cheers.

  • #2
    Re: Disabling accounts after session ticket granted.

    No, when the account is disabled their existing tickets are invalidated. Each time you click on a resource your tickets are re-checked against the AD database.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Disabling accounts after session ticket granted.

      Originally posted by Stonelaughter View Post
      No, when the account is disabled their existing tickets are invalidated. Each time you click on a resource your tickets are re-checked against the AD database.
      Nope... Your existing session tickets and TGT are valid until expired (though you will not be able to obtain new session tickets using your TGT). Session tickets are not validated against KDC after being issued. In NTLM world that was true, but not in the Kerberos world.

      In Kerberos world you have 2 basic types of tickets: TGT and session ticket. TGT (issued by KDC upon your logon) is like your ID you use to request session tickets from KDC to access resources on the network (i.e.: session ticket to access CIFS/server.domain.com service).
      If the client has a valid session ticket to a resource/service the server hosting the service validates the session ticket without talking to KDC. The result is that if you have a valid not-expired session ticket, you will be able to access the resource even if your account is disabled.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Disabling accounts after session ticket granted.

        I stand most excellently corrected... thanks Guy!


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment

        Working...
        X