On Mon, Aug 13, 2012 at 7:05 AM, Mark Pröhl <[email protected]> wrote: > if a ticket has been issued to the client, the KDC cannot revoke that > ticket, even if the client is deleted or disabled. But if the client > needs to do a renew request from time to time, the KDC might not issue > new tickets if the client is deleted or disabled.
A few remarks regarding revocation: - For same realm client and service the TGS should check that the client principal is still valid. - For x-realm tickets the most reasonable thing to do may be to shorten ticket life. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
