| Author |
 Topic  |
|
|
elliotg
Old Timer
Australia
416 Posts
Status: offline |
 Posted - 07/21/2006 : 02:53:42 AM
|
My understanding of kerberos is not as deep as it should be, and I am now faced with a forensic problem about whether someone used their computer last weekend!
The situation is this. The user definately logged in and authentication and service tickets were granted last Friday. We cannot tell when they logged out as local security logging on the machine was not enabled. Assuming they did NOT logout friday evening, and used their machine over the weekend for downloading from the internet (i.e. not for AD authenticated services), would you expect further entries in the logs on the DC?
Our maximum lifetime for user ticket is set at the default 10 hours. But if they stayed logged in, and did not access any network shares, would this be renewed every 10 hours? Or only when they needed it? And are such renewals seen in the logs? The closest type of event I can find is the 672 Authentication Ticket request. But is this for both new requests and renewals?
Any help from kerberos gurus will be greatly appreciated!
Elliot
|
Elliot Gingold
University of Melbourne, Australia |
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7406 Posts
Status: offline |
|
|
Dave Sweatt
Old Timer
USA
439 Posts
Status: offline |
Posted - 07/21/2006 : 5:22:44 PM
|
Ah yes, good ol' Ticket Taker Tom and his Tandy!
Say Mark, did you ever fix the DC so more than 1 drive's working? <g>
Just kidding,that's one hell of a great session ya got there! |
Vegetarians eat vegetables.
Humanitarians frighten me. |
Edited by - Dave Sweatt on 07/21/2006 5:24:19 PM |
 |
|
|
Mark Minasi
Chief cook and bottle washer
USA
10658 Posts
Status: offline |
Posted - 07/22/2006 : 08:44:41 AM
|
Hi Elliot --
Backroom chatter aside<g>, I don't know the answer. But here's a reasonable guess.
1) We know that Kerb tickets expire in 10 hours and will be renewed upon request.
2) What might cause that request? What domain resources might we want that would en passant kick off a need for a new ticket?
3) Here's one -- the group policy refresh. Happens about every 90 minutes. Even if no one's at the computer. |
Mark
tweetin' at mminasi |
|
|
|
elliotg
Old Timer
Australia
416 Posts
Status: offline |
Posted - 07/22/2006 : 9:30:47 PM
|
quote:
Originally posted by MarkMinasi
Hi Elliot --
Backroom chatter aside<g>, I don't know the answer. But here's a reasonable guess.
1) We know that Kerb tickets expire in 10 hours and will be renewed upon request.
2) What might cause that request? What domain resources might we want that would en passant kick off a need for a new ticket?
3) Here's one -- the group policy refresh. Happens about every 90 minutes. Even if no one's at the computer.
That is what I would have expected. I am going to run a test - log into a machine and do nothing for the next 24 hours except go to web sites. See what appears in the logs.
I will set this up tomorrow and report back to the group later this week. It is not an idle piece of curosity as the use of the IP address over last weekend was definately not in line with regulations but i am disinclined to automatically blame the last person who had logged in!
Elliot |
Elliot Gingold
University of Melbourne, Australia |
|
|
|
Dave Sweatt
Old Timer
USA
439 Posts
Status: offline |
Posted - 07/24/2006 : 8:01:18 PM
|
| Kidding aside, I would think that if the user is logged on and no time limit is set by logon hours, etc that the TGT will be renewed automagically every 10 hours. Otherwise it seems locking your workstation as opposed to logging off for the night would be problematic, but I'm not 100% sure. KList & Kerbtray from the 2003 resourse kit give some limited ticket information, but that's only going to give you info on the currently cached tickets, like issue time, experation and the like so I don't think that will help you much. Do you do any logging on your firewall? I use ISA and from that I can see who, from what IP went to where on the outside at what time.If you don't have access to the firewall (I run the ISA box, but another very secretive dude has the PIX, so I know how it can be) you might talk to your network folks to see if they can help out. |
Vegetarians eat vegetables.
Humanitarians frighten me. |
Edited by - Dave Sweatt on 07/24/2006 8:03:02 PM |
|
|
|
elliotg
Old Timer
Australia
416 Posts
Status: offline |
Posted - 07/25/2006 : 02:49:38 AM
|
I have now done my testing and can confirm that what Mark has suggested is absolutely correct. I am logged into a machine in the AD with a test account, and even though I have not touched it, there is a stream of kerberos messages in the DC event logs. These include service ticket requests/renewals, and authentication ticket requests. The is one ST failure, the rest are successful. The time intervals are consistent with a 10 hour ticket expiry.
I obtained this information from a server which consolidates DC log files, but only for certain events - not including successful logons (there are tooo many). Going back to the DC itself and looking in the unflitered event logs reveals that the user is logging on to the DC every 90 minutes or so. Hence, like Mark suggested, it appears as if the activity which requires kerberos tickets is Group Policy refresh (by default every 90 minutes).
The conclusion I can thus draw, concerning the original query, is that the user probably did not remain logged into the workstation over the weekend in question. If they had done so there should have been ample evidence of this in the DC logs. In fact, I can find no evidence that the machine account connected to the DCs either, rasing the possibility that the machine was off or disconnected over that time period.
Thanks to all who helped.
Elliot |
Elliot Gingold
University of Melbourne, Australia |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
7406 Posts
Status: offline |
Posted - 07/25/2006 : 04:38:13 AM
|
| I've seen this alot with admins disconnecting from RDP sessions to servers. Overnight, we'd get tickets in MOM telling us there were problems renewing GPO for the disconnected admin. |
Aidan Finn
MCSE, MVP (Virtual Machine)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
Books: WS2012 Hyper-V Installation & Config Guide, MSFT Private Cloud Computing
Twitter: http://twitter.com/joe_elway |
|
|
| |
Topic |
|
Logging and kerberos ticket renewal
