From e3dc77a76f29f0484eab155f4d6789b0a20eb8df Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Tue, 21 Oct 2003 22:20:48 +0000 Subject: [PATCH] Because of the failure of Windows 2000 and Windows XP to perform proper ticket expiration time management, the MS Kerberos LSA will return tickets to a calling application with lifetimes as short as one second. Tickets with lifetimes less than five minutes can cause problems for most apps. Tickets with lifetimes less than 20 minutes will trigger the Leash ticket lifetime warnings. Instead of accepting whatever tickets are returned by MS LSA from the cache, if the ticket lifetime is less than 20 minutes force a retrieval operation bypassing the LSA ticket cache. ticket: 1962 target_version: 1.3.2 tags: pullup owner: jaltman@mit.edu status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15843 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/ms2mit/ChangeLog | 16 ++++++++++++++++ src/windows/ms2mit/ms2mit.c | 14 ++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog index 1c5a9c45f..f177bb41d 100644 --- a/src/windows/ms2mit/ChangeLog +++ b/src/windows/ms2mit/ChangeLog @@ -1,3 +1,19 @@ +2003-10-21 Jeffrey Altman + + * ms2mit.c: + + Because of the failure of Windows 2000 and Windows XP to perform + proper ticket expiration time management, the MS Kerberos LSA will + return tickets to a calling application with lifetimes as short as + one second. Tickets with lifetimes less than five minutes can cause + problems for most apps. Tickets with lifetimes less than 20 minutes + will trigger the Leash ticket lifetime warnings. + + Instead of accepting whatever tickets are returned by MS LSA from + the cache, if the ticket lifetime is less than 20 minutes force a + retrieval operation bypassing the LSA ticket cache. + + 2003-07-16 Jeffrey Altman * ms2mit.c: diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c index 3baaf1958..12e028e0b 100644 --- a/src/windows/ms2mit/ms2mit.c +++ b/src/windows/ms2mit/ms2mit.c @@ -649,12 +649,22 @@ GetMSTGT( case KERB_ETYPE_DES_CBC_MD5: case KERB_ETYPE_NULL: case KERB_ETYPE_RC4_HMAC_NT: { - FILETIME Now, EndTime, LocalEndTime; + FILETIME Now, MinLife, EndTime, LocalEndTime; + __int64 temp; + // FILETIME is in units of 100 nano-seconds + // If obtained tickets are either expired or have a lifetime + // less than 20 minutes, retry ... GetSystemTimeAsFileTime(&Now); EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart; EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart; FileTimeToLocalFileTime(&EndTime, &LocalEndTime); - if (CompareFileTime(&Now, &LocalEndTime) >= 0) { + temp = Now.dwHighDateTime; + temp <<= 32; + temp = Now.dwLowDateTime; + temp += 1200 * 10000; + MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF); + MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF); + if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) { #ifdef ENABLE_PURGING purge_cache = 1; #else -- 2.26.2