Search code examples
javawindowsactive-directorykerberosjgss

Kerberos cached ticket on windows machine not regenerated after user unlock


I have a java server and client applications. These applications are working on windows machines. Client login on server using kerberos authentication. It's implemented using jgssapi.

At first the client retrieve stored cached tgt ticket from the system to generate token from kdc. The problem is - after locking user session in windows (lock screen or change a user) there's no cached tgt tickets in system (checked by C:\Windows\System32\klist.exe). And as I understand I just can get them by log off/log on user on the computer.

This problem happened to me at customer machines. After locking there's empty list of cached tickets.

It's not reproduced at my office (clients with windows 7, active directory server on win server 2008). After locking I always have NEW REGENERATED cached tgt tickets on machine (not from work before locking, but they were generated again after unlocking). There's no special GPO set for this behavior (question about using caching tickets from previous user session Kerboros cached ticket deleted after using Windows lock screen).

So I don't understand why the system do not regenerate cached tgt after unlocking? How to do it?

I found the similar question here https://social.technet.microsoft.com/Forums/ie/en-US/be5ebc3b-d915-4acb-a9ae-67c61ee03b97/service-tickets-kerberos-purged-on-ctrlaltdel?forum=winserverDS&prof=required One of the answers is "First of all have a look at what you have with klist and then lock and unlock your screen. If you have a connectino to the DC you will get a service ticket to your local host and the KDC and the TGT , if you dont have a connection you will have nothing."

The connection to AD is successful. I can ping it. I can get information connecting using AD-explorer. Or the connection to the DC is not the same?

Thanks.


Solution

  • JGSS and SSPI don't play well together. You either user JGSS only and start using SSPI via JNA.