Impact of decreasing Kerberos User Ticket Renewal Lifetime

Similar Messages

• Maximum lifetime for user ticket renewal - where to find this setting on member server?

  Hi,
    we have set a value of 15 days for the GPO setting "Maximum lifetime for user ticket renewal" under kerberos policy  on a separate policy linked to domain.  The default value on "default domain policy" is 7. RSOP or GPRESULT
  doesnt show the actual setting on a member server.  As both policies are linked at domain level, will the effective policy be 7 or 10 on member servers/Workstation?  How do we find the actual settings for above policy on any of the member servers?

  > or 10 on member servers/Workstation?  How do we find the actual settings
  > for above policy on any of the member servers?
  Nowhere. You'll see this only on a DC, because this only affects DCs
  (the KDC, to be precise, that issues these tickets).
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Kerberos Service tickets & Service server

  Hi,
  I've implemented a simple hello_world.java application (on Windows) that gets authentified by the KerberosLoginModule by the Kerberos Keytab (not the TGT!).
  - That Keytab was built on a Microsoft Server 2003 using "ktpass".
  - The name of the application "hello_world" was added in Active directory using setspn.exe (necessary if I want to use Kerberos Service Tickets) for an user account.
  At the moment every account can launch the application.
  But how can I:
  1- Make that application require and use the service ticket to allow just 1 user to launch the application?
  2- Prevent/Deny all the others.
  and also:
  3- From the user account, establish the communication with the KDC (TGS) to acquire Service Tickets?
  ---> I want that application to require the Kerberos Service Ticket from the user AND decrypt it by using the keytab (to finally allow access to the user).
  Any suggestions for a newbie like me are all welcome..
  Thanks !

  what do you mean "launch the application"? If it's a class or a jar readable by all, then everyone can launch it. if your "launch" means it can authenticate itself and goes on, maybe you can simply make the keytab file readable by a single user.
  Anyway this looks a little strange. Normally JGSS programs have a client and a server, the client need to authenticate itself to the server, and request the server to do something. If you have only one program, user may alter the configuration (say, appointing another KDC), trick the program to believe it passes the authentication stage, and goes on.

• Impact of moving a user from one organisational unit to another.

  Hi
  my system description :
  extended classic
  srm 5.00
  I am new to srm and i would have some questions about the impact of moving a user from one organisational unit to another.
  The senario is that:
  I have moved a user from organisational unit X  to Y lets say different purchasing organisation
  The user had PO created in organisational unit X waiting for goods receipt but even if he is now in organisational unit Y he can still create the good receipt for the PO created in organisational unit X .
  Is it ok?
  Futhermore not only can he create good receipt but the good receipt take the cost center assigned in organisational unit Y whereas the PO has the cost center of organisation X.
  I believe that is how the confirmation works in SRM. However is there a way for it to take  account assignment from the PO instead of where the user is situated in the org hierarchy when doing confirmation.
  Thanks

  Thanks for your answers
  Maybe i should explain how the user was moved.
  I did not used users_gen because i didn't want the user's partner ID to be changed.  If the partner ID is changed then the user would not  be able to access PO from old Organisation Unit. (can somebody confirm this please)
  I did right click on the wanted Organisation Unit then assign the user.  The problem is that the relationship between the user partner ID and the new organisation unit was not maintained and the user could not create shopping cart in the new organisation unit. 
  To solve this issue oss note 1041701 was implemented and the issue was solved.
  But before the the implementation of oss note  1041701, if the user had open items from old organisational unit he could not access PO thus could not confirm goods receipt when moved in new organisation unit.
  Now this is possible he can confirm goods from old unit but the confirmation is done using cost centre of user instead of the cost centre of the PO.
  Jagadish you said that the confirmation must be done using PO accounting details not the user attributes.  Then i think i have a problem in my system.
  regards,
  yannick.

• Impact of J2EE_ADMIN / Administrator user getting locked

  Hi,
  What is the impact of J2EE_ADMIN / Administrator user getting locked in abap / java engines?  Will it effect startup of java server processes or java applications?  What are the other implications?
  Thanks,
  Abdul

  Hi Abdul,
  if the J2EE_ADMIN or Administrator user is locked then
  1. you cannot login to Visual Admin unless you define some other user with same authorization.
  2. any Jco-RFC using this user won't work.
  3. if you don't have any other user, you will have to activate SAP* user to unlock this user.
  Thanks,
  Sandeep

• How to send a Patch Impact report to a user?

  Hi:
  This is for 12.1.3, 10g on linux. Would please someone tell me how to send a Patch impact report to a user. She doesnot want to go to EBS to look and I asked me to send her a report. I have looked but didn't see anywhere I can do that. Please guide me.
  Thanks and regards

  873768 wrote:
  I ran a patch analyzer from OAM and got a report from "Impact". I was hoping the func person can also login to the OAM and see there. But she wants me to send a report to here. But when you click on the "Impact" There is no single report but a lot of clicks. I am asking if there is way to copy/download the report?
  Nayas has already answered this question -- You can save the report (File > Save As) or take a screenshot or whatever is convenient for you and send it to the user.
  Thanks,
  Hussein

• ACS support Kerberos User Database?

  Hi,
  I've a customer currently having kerberos user database. I proposed to him to implement ACS to enable 802.1x on wireless client. Can ACS support or integrate with Kerberos User Database? If yes, any user guide which list out the steps on doing so?
  I searched through Cisco website but failed to find any info related to the integration of ACS with Kerberos User Database.
  Thank.
  Delon

  For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.

• Kerberos service ticket was requested

  I got the following message in my event viewer. can anyone advise on this?
  A Kerberos service ticket was requested.
  Account Information:
  Account Name:
  Account Domain:
  Logon GUID:
  {00000000-0000-0000-0000-000000000000}
  Service Information:
  Service Name:
  Service ID:
  NULL SID
  Network Information:
  Client Address:
  192.168.0.57
  Client Port:
  1154
  Additional Information:
  Ticket Options:
  0x40800000
  Ticket Encryption Type:
  0xffffffff
  Failure Code:
  0x25
  Transited Services:
  This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.
  This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
  Ticket options, encryption types, and failure codes are defined in RFC 4120.
  thanks,
  Ashley

  Yeah… Code: 0x25 Clock skew too great. Workstation’s clock too far out of sync with the DC’s. refer:http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
  Best,
  Howtodo

• Impact of removing Designer users

  Hi,
  I want to do a clean up of our Designer users, as quite a few people listed have left the company or no longer use the tool. What is the impact of doing this? I'm thinking of how things like the audit columns are affected, e.g. if the last change to an object was made by a user that I want to remove, is this a problem?
  We're using v6, btw.
  Thanks,
  Antony

  No, by "version control" he meant the ability in 6i/9i/10g to version individual elements (i.e. tables, entities, modules). It sounds like you're still using 6.0, in which you can "clone" an entire application system to retain an "old version" of it.
  One other thing to clean up before you remove those users .... go find all the application systems that those users own. First grant full privileges on each to your standard <RepositoryAdministrator> account. And then "change ownership" of each application system to be the <ReposAdmin> account. Two steps. And you have to do this while logged in as the old user. In fact, its good practice to have a <ReposAdmin> account to do your AppSys creation and user grants with. Doesn't have to be the <ReposOwner> account either, if you don't want to give out that password.

• Tuxedo impacting lcount in oracle user$ table on wrong login

  On every wrong login to 2-tier application, lcount in user$ table in oracle is updated by 2. If I use 3-tier application using Tuxedo then lcount is increased by 2 more than it was in 2-tier.
  Can anyone help me in understanding the behavior of Tuxedo with respect to updation of lcount in user$ table? How does Tuxedo processing impacts lcount of user$ table? Or do I need to check my application code, which might be guiding this behavior?

  Hi,
  Tuxedo doesn't directly affect any database tables. In fact, Tuxedo doesn't know what a database or database table is!
  What may be happening is if you are using XA transactions and you have an error in the OPENINFO string, when a Tuxedo server tries to participate in an XA transaction with the database, it makes XA calls to the database with the OPENINFO string. Those calls are done in addition to any database calls the Tuxedo server application code does. Does your application use XA transactions, i.e., do you have an OPENINFO string associated with the group of Tuxedo servers and the appropriate TMS built for the resource manager?
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect

• Kerberos user entries corrupt

  Hello,
  I've been trying to get Kerio Connect to authenticate against my OS X Server using Kerberos. I noticed that when using the dscl utility that the users have entries like this....
  ;Kerberosv5;0x4b9015d41094b8ce0000001000000010
  ...which is not a properly formed entry. Changing a user's password does not update this entry.
  Now, of course, I can delete this entry on each user record and then have them change their password to get the proper entry there but I'm wondering if anyone has encountered this issue before and has a great way to fix all the user accounts with minimal effort.
  I also tried creating a kerberos entry from scratch based on the password entry but there must be something in the change password command that adds the kerberos entry to the kerberos db.
  Thanks!

  Has your Open Directory system been restored from an archive under 10.6? There's a longstanding bug in the OD restore process that corrupts the ;Kerberosv5; AuthenticationAuthority data like this. There's a manual procedure for rebuilding them in [this discussion|http://discussions.apple.com/message.jspa?messageID=10362561#1036256 1]. If you have too many users to repair manually, let me know; I have a script that might work, though it's not terribly well tested.

• Sizing Impact for Trex and user defined Message search

  Hi All,
      In PI 7.1 we have content base search in nwapi and also we have trex based earch. Do any one have any idea about the sizing impact for the both...?
  Regards
  Pradeep P N

  Hi.
  From SAP Note.  1600078
  Solution
  Most problems occur because you use the communication components or partners as the filter criteria in the filter even though you want the system to index only certain interfaces. In this situation, you must always set the components or partners to "*".
  If you specify components or partners, you must consider how indexing of messages runs technically. If indexing is called at runtime, the system executes it at the start of the Integration Engine and at the end of the Integration Engine; this means that the value that the components or partners have at this point is definitive. For example, if you have defined a receiving component, this is not set at the start of the Integration Engine (except in special cases) and this is why the filter does not select the message. It also has no effect at the end because the message contains the receiving interface after the mapping. If you call the test function of transaction SXMS_LMS_CONF, the filter is used on each individual persistent version of the message (the same process as when indexing via a job). If the message is made persistent directly before the mapping, the sender interface exists there and the receiving component or partner is set. Therefore, the filter described above would be active here. As a result, this function is better defined to check the XPath than the filter criteria.
  Check if you put  * in the receiver component.
  Regards
  Lucho.

• The Kerberos/GSSAPI ticket was not accepted by the POP server. Please check that you are logged in to the Kerberos/GSSAPI realm. How do I fix this?

  I have just downloaded and installed Thunderbird on a new Windows 8 omputer. I get the message in the headline when I press the Get Mail button

  What do you have for Connection security and Authentication method in Tools(or AppMenu/Options)/Account Settings/<i>accountname</i>/Server Settings? What is the POP server - does it support Kerberos/GSSAPI?

• SUIM Change Documents shows duplicate information on user validity renewal

  Hello,
  When the validity extended or password is reset, the roles which are already present in the user profile appear as added again in SUIM. [It appears as "Profile added"]
  Is this a bug? How can I get the correct this? Kindly help.
  Thanks a lot in advance!
  Regards,
  Sundar.

  This is because when a role is out of validity, the profiles are removed.
  When you change it to be valid again, the profiles of that role are added again.
  Roles are not authority normally, they are just a tool.
  I assume that the password comment is only because you are resetting the user's pwd when you reactivate their access (the access of their roles being valid again).
  You are doing it the correct way, and change docs are correct and there is no "bug".
  Cheers,
  Julius

• Linked server using kerberos working fine then after inacitive for 10 minutes start receiving the anonymous logon error

  Linked server using kerberos working fine but after leaving the session inactive for 10 minutes is startin to fall down to ntlm and receive the anonymous logon error

  we are connecting to  SQL mgmt studio app published on citrix, using  Windows authentication and Kerberos to forward the credentials to the linked servers and avoid the double hop issue, that part is working fine,  we already have the Constrained
  delegation, SPNs and Active directory settings for the Service accounts and the authentication is working, we can connect to the linked servers without errors, it's only whe the Session get idle when we faced the issue, the citrix team already have verifyed
  any timeout setting and they mentioned there is no 10 minute timout setting anywhere,  we also looked at the Kerberos AD Global policy settings to see if maybe the kerberos service ticket was expiring, but the configured values are  Maximum lifetime
  for service ticket 600 minutes  Maximum lifetime for user ticket 10 hours  Maximum lifetime for user ticket renewal 7 days, if you have any other suggestion please let me know.