这里有答案
Can the lifetime be longer than the renewal time?
Technically, yes. Logically, the ticket lifetime should not be longer than ticket renewal time. Let’s say the lifetime is 8 days and the renewal time is 7 days. The ticket will be invalid after 7 days no matter what the lifetime value is. Renewal time is the maximum cumulative time a ticket can be extended for.
更新Ticket的时候用户Hash来自哪里?
答案:
交互式登陆的用户密码Hash:
The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy of the hashed password is destroyed when the user's logon session is destroyed.
服务和电脑HASH
Hashed passwords for services and computers are handled differently than above. As in Windows NT, hashed passwords are stored in a secure area of the computer's registry. The registry is also used to store hashed passwords for user accounts on the local system, but local accounts are used only for access to computers in standalone mode, never for network access.
缺省值
- Maximum lifetime for user ticket: 10 hours
- Maximum lifetime for user ticket renewal: 7 days
Please note that “ticket renewal” value equals to “maximum cumulative ticket life”. It means that a ticket can be refreshed (a new session key is assigned) every 10 hours for 7 days. If it has been 7 days or more since the ticket was created, a new ticket has to be created even if the ticket is renewable. This is because the maximum cumulative ticket life is reached.
Any side effects if the lifetime is the same as renewal time?
It’s acceptable. However, it is better if the renewal time is longer than the lifetime. If they are the same:
- If the value is small such as 1 day, it means the client should reauthenticate every day which makes the process inefficient
- If the value is high such as 3-4 days, it means the client will stay authenticated for 3-4 days. There are security concerns around high ticket lifetimes:
- If an account is disabled (let’s say the person leaves the company), the account can continue to use the application until the ticket is expired
- If the ticket is compromised, the attacker will be able to penetrate the system until the ticket is expired
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 字符编码:从基础到乱码解决