1

According to this TechNet article https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ Machine Accounts (Computer Objects) reset internal passwords every 30 days.

Let's assume that this server is running IIS with Kerberos SSO, so it has SPN HTTP/server.domain.com and client has cached Kerberos ticket it's using to access resources on this server.

If machine account for IIS server password resets every 30 day - would it invalidate cached Kerberos ticket on the client and prevent access until ticket expires or gets purged manually on the client using "klist purge".

Is there a workaround for this? Can IIS server force client to renew Kerberos ticket?

arainchi
  • 141

2 Answers2

2

The IIS server will fail to decrypt the ticket, which will generate an encoded response containing an error code indicating the key is wrong. This will indicate to the client that it needs to purge and retry.

There's rarely a situation where klist purge is actually necessary.

Steve
  • 472
0

No. Kerberos tickets aren't validated against the password of an account. That is essentially the reason why Kerberos was created, so credentials don't need to be validated on each access request. Kerberos tickets can even be created and used for accounts that don't exist.

Greg Askew
  • 39,132