Forum Discussion
NimbostratusKerberos SSO and AD password changes
I have an app utilizing APM for Cert auth then Kerberos SSO to the back end.
When users change their passwords, their kerberos ticket is no longer valid (so they are prompted for AD creds by the server). I'm wondering if there is any way to force APM to get another kerberos ticket under those circumstances, or at the very least clear the kerberos cache and then return a 302 rather than a 401 to the user?
6 Replies
kunjanDon't have an answer other than may be reducing the ticket cache time. But just curious how do you recover currently?
R_MarcThe user can either enter their username and password when prompted, or just restart their session. Unfortunately we have some executives that never, ever, ever want to have to enter their creds or be asked for them, 'cause, you know, it's hard.
kunjan_118660Cumulonimbus
If restarting the session helps, how about sending a 302 redirect on 401 and forcing to start a new user session?
- R_MarcI plan on trying that, however if the ticket is still cached I think it'll still fail SSO. The default lifetime for kerberos tickets is 10 hours (600 minutes). The smallest I can set it is 10 minutes per the doco. We'll see if it works.
- kunjan
If restarting the session helps, how about sending a 302 redirect on 401 and forcing to start a new user session?
- R_MarcI plan on trying that, however if the ticket is still cached I think it'll still fail SSO. The default lifetime for kerberos tickets is 10 hours (600 minutes). The smallest I can set it is 10 minutes per the doco. We'll see if it works.
