Kerberos Renews TGT When it Should Be Refreshed (300436)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q300436

SYMPTOMS

By default, Kerberos Ticket Granting Tickets (TGTs) are refreshed every 10 hours and the tickets are renewed every 7 days (you can change these settings by using a group policy). When a TGT's age reaches 10 hours, it does not refresh automatically. The first attempt to use the TGT after this period has expired results in the TGT being renewed rather than refreshed. When a TGT is refreshed, it does not use password information to complete the operation, but a TGT renewal does.

If a user account password has been reset or changed from another computer while the user is logged onto a separate computer and an account lockout policy has been implemented, the account may become locked. The Kerberos client attempts to refresh the TGT retrieve cached password information that is now out of date.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Modification Type:MajorLast Reviewed:11/14/2003
Keywords:kbbug kbenv kbpending KB300436
©2003 Microsoft Corporation. All rights reserved.