Forum Discussion

R_Marc_77962's avatar
R_Marc_77962
Icon for Nimbostratus rankNimbostratus
May 08, 2015

Kerberos SSO and AD password changes

I have an app utilizing APM for Cert auth then Kerberos SSO to the back end.

 

When users change their passwords, their kerberos ticket is no longer valid (so they are prompted for AD creds by the server). I'm wondering if there is any way to force APM to get another kerberos ticket under those circumstances, or at the very least clear the kerberos cache and then return a 302 rather than a 401 to the user?

 

6 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Don't have an answer other than may be reducing the ticket cache time. But just curious how do you recover currently?

     

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus

    The user can either enter their username and password when prompted, or just restart their session. Unfortunately we have some executives that never, ever, ever want to have to enter their creds or be asked for them, 'cause, you know, it's hard.

     

  • If restarting the session helps, how about sending a 302 redirect on 401 and forcing to start a new user session?

     

    • R_Marc's avatar
      R_Marc
      Icon for Nimbostratus rankNimbostratus
      I plan on trying that, however if the ticket is still cached I think it'll still fail SSO. The default lifetime for kerberos tickets is 10 hours (600 minutes). The smallest I can set it is 10 minutes per the doco. We'll see if it works.
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    If restarting the session helps, how about sending a 302 redirect on 401 and forcing to start a new user session?

     

    • R_Marc's avatar
      R_Marc
      Icon for Nimbostratus rankNimbostratus
      I plan on trying that, however if the ticket is still cached I think it'll still fail SSO. The default lifetime for kerberos tickets is 10 hours (600 minutes). The smallest I can set it is 10 minutes per the doco. We'll see if it works.