Because of the failure of Windows 2000 and Windows XP to perform proper

ticket expiration time management, the MS Kerberos LSA will return
tickets to a calling application with lifetimes as short as one second.
 Tickets with lifetimes less than five minutes can cause problems for
most apps.  Tickets with lifetimes less than 20 minutes will trigger the
Leash ticket lifetime warnings.

Instead of accepting whatever tickets are returned by MS LSA from the
cache, if the ticket lifetime is less than 20 minutes force a retrieval
operation bypassing the LSA ticket cache.

ticket: 1962
target_version: 1.3.2
tags: pullup
owner: jaltman@mit.edu
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15843 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog
index 1c5a9c45f82d179b7b45996b4b3a6b95d75f48a4..f177bb41d9ad07db1e8c1456dc69b1ae9616fe16 100644 (file)
--- a/src/windows/ms2mit/ChangeLog
+++ b/src/windows/ms2mit/ChangeLog
@@ -1,3 +1,19 @@
+2003-10-21  Jeffrey Altman <jaltman@mit.edu>
+
+    * ms2mit.c:
+
+    Because of the failure of Windows 2000 and Windows XP to perform 
+    proper ticket expiration time management, the MS Kerberos LSA will 
+    return tickets to a calling application with lifetimes as short as 
+    one second.  Tickets with lifetimes less than five minutes can cause 
+    problems for most apps.  Tickets with lifetimes less than 20 minutes 
+    will trigger the Leash ticket lifetime warnings.
+
+    Instead of accepting whatever tickets are returned by MS LSA from 
+    the cache, if the ticket lifetime is less than 20 minutes force a 
+    retrieval operation bypassing the LSA ticket cache.
+
+
 2003-07-16  Jeffrey Altman <jaltman@mit.edu>
 
     * ms2mit.c: 

diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c
index 3baaf195849f4575b035c1df6f81b183ebe2ee57..12e028e0bc37467b5cd18d8e8865c88b1883d02b 100644 (file)
--- a/src/windows/ms2mit/ms2mit.c
+++ b/src/windows/ms2mit/ms2mit.c
@@ -649,12 +649,22 @@ GetMSTGT(
         case KERB_ETYPE_DES_CBC_MD5:
         case KERB_ETYPE_NULL:
         case KERB_ETYPE_RC4_HMAC_NT: {
-            FILETIME Now, EndTime, LocalEndTime;
+            FILETIME Now, MinLife, EndTime, LocalEndTime;
+            __int64  temp;
+            // FILETIME is in units of 100 nano-seconds
+            // If obtained tickets are either expired or have a lifetime
+            // less than 20 minutes, retry ...
             GetSystemTimeAsFileTime(&Now);
             EndTime.dwLowDateTime=pTicketResponse->Ticket.EndTime.LowPart;
             EndTime.dwHighDateTime=pTicketResponse->Ticket.EndTime.HighPart;
             FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
-            if (CompareFileTime(&Now, &LocalEndTime) >= 0) {
+            temp = Now.dwHighDateTime;
+            temp <<= 32;
+            temp = Now.dwLowDateTime;
+            temp += 1200 * 10000;
+            MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF);
+            MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF);
+            if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) {
 #ifdef ENABLE_PURGING
                 purge_cache = 1;
 #else