TGT lifetime during delegation

[t3st0re]

I want to allow an application server to impersonate other users by a
limited time.
I know that on win2000 the application server obtains the kerberos TGT
during delegation. win2003 allows also constrained delegation, and I
would use that model if it's possible.

I'm thinking on setting the kerberos server to issue tickets with
reduced lifetime (by setting MaxServiceTicketAge and MaxTicketAge to 20
minutes for example), but I'm not sure if it would work, as I'm not
sure if the TGT isn't renewed automatically on the application server
before it expires.

 

[Joe Richards [MVP]]

Tickets are renewed automatically by Windows so reducing your ticket
aging is just going to cause wasteful extra traffic from all machines.

I am not sure if it is possible to do what you are asking.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Paul Bergson]

Unless the application server knows the user Id and password I know of no
way an application could impersonate a user. This would be in conflict with
what security is to do, which is one user one account.

http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.