Microsoft KB Archive/300436

= Kerberos Renews TGT When it Should Be Refreshed =

Article ID: 300436

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q300436



SYMPTOMS
By default, Kerberos Ticket Granting Tickets (TGTs) are refreshed every 10 hours and the tickets are renewed every 7 days (you can change these settings by using a group policy). When a TGT's age reaches 10 hours, it does not refresh automatically. The first attempt to use the TGT after this period has expired results in the TGT being renewed rather than refreshed. When a TGT is refreshed, it does not use password information to complete the operation, but a TGT renewal does.

If a user account password has been reset or changed from another computer while the user is logged onto a separate computer and an account lockout policy has been implemented, the account may become locked. The Kerberos client attempts to refresh the TGT retrieve cached password information that is now out of date.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbbug kbenv kbpending KB300436

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.