I have a Windows client which is joined to a Active Directory Server. I login using a domain user id and password. On login I get a Kerberos ticket which has lifetime of 10hrs.
I am connected to the Windows client using MS Remote Desktop. What I observed is, when I disconnect on RDP and then reconnect, I see that whatever apps or terminals I had opened are still open, which means, it was just a disconnect and not a sing-out. But when I do a klist, I see that ticket validity is extended to 10hrs from my re-connect time. Just trying to understand why the ticket life is reset on re-connect. I'm not facing issue, just trying to understand this observation. Is that how it is intended to work ? Thanks for any info.
I was under the impression that only sign-out and sign-in will get a new Kerberos ticket.
Kerberos tickets can be renewable, i.e. just like you can use the TGT ticket to get service tickets, you can also use the current TGT to get a fresh TGT with another 10-hour lifetime. Windows will automatically keep renewing your krbtgt ticket for as long as possible (usually 7 days total).
Sign-in is not the only time you get a ticket; that can also happen when you lock and unlock the session, as you provide the password when unlocking. For example, if your session lasts long enough that the TGT expires for good (i.e. reaches its "max renew time"), I believe Windows will ask you to lock/unlock for a new ticket without requiring you to fully log off.
Unlike other Kerberos-using protocols (which only send a ticket), RDP deliberately sends your real password to the Remote Desktop server so that the server could treat the connection as a full login – or session unlock – and get you a new ticket if needed.