Hi all, After we updated to Windows 2012R2, we noticed that the KDC already returns KRB_AP_ERR_TKT_EXPIRED during the last 120 seconds of ticket lifetime, which can cause problems with authentication and ticket renewal.
Before, tickets were accepted right up to the end of the ticket lifetime. This seems the intended behavior according to the Kerberos 5 specification (RFC 1510): "if the current [local server] time is later than end time by more than the allowable clock skew, the KRB_AP_ERR_TKT_EXPIRED error is returned." We contacted Microsoft about this behavior, since KB2877460 (https://support.microsoft.com/en-us/kb/2877460) seems to acknowledge that returning KRB_AP_ERR_TKT_EXPIRED early can cause issues, and that an hotfix was released to fixed this. Unfortunately, according to Microsoft, Windows 2012R2 already includes this fix. I was wondering if anybody has an idea why the Windows 2012R2 KDC would want to return KRB_AP_ERR_TKT_EXPIRED before the actual end time, and whether this behavior is correct or not? -- Robbert Eggermont Intelligent Systems r.eggerm...@tudelft.nl Electr.Eng., Mathematics & Comp.Science +31 15 27 83234 Delft University of Technology ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
