Kerberos ticket validity

Question

I have a Windows client which is joined to a Active Directory Server. I login using a domain user id and password. On login I get a Kerberos ticket which has lifetime of 10hrs.

I am connected to the Windows client using MS Remote Desktop. What I observed is, when I disconnect on RDP and then reconnect, I see that whatever apps or terminals I had opened are still open, which means, it was just a disconnect and not a sing-out. But when I do a klist, I see that ticket validity is extended to 10hrs from my re-connect time. Just trying to understand why the ticket life is reset on re-connect. I'm not facing issue, just trying to understand this observation. Is that how it is intended to work ? Thanks for any info.

I was under the impression that only sign-out and sign-in will get a new Kerberos ticket.

Answer 1

1. Kerberos tickets can be renewable, i.e. just like you can use the TGT ticket to get service tickets, you can also use the current TGT to get a fresh TGT with another 10-hour lifetime. Windows will automatically keep renewing your krbtgt ticket for as long as possible (usually 7 days total).

2. Sign-in is not the only time you get a ticket; that can also happen when you lock and unlock the session, as you provide the password when unlocking. For example, if your session lasts long enough that the TGT expires for good (i.e. reaches its "max renew time"), I believe Windows will ask you to lock/unlock for a new ticket without requiring you to fully log off.

3. Unlike other Kerberos-using protocols (which only send a ticket), RDP deliberately sends your real password to the Remote Desktop server so that the server could treat the connection as a full login – or session unlock – and get you a new ticket if needed.

Answer 2

Ticket renewal request and new ticket request are different operations.

Pls see below the endtime and renew-till fields of a ticket: Ref: https://www.rfc-editor.org/rfc/rfc4120.txt

"endtime This field contains the time after which the ticket will not be honored (its expiration time). Note that individual services MAY place their own limits on the life of a ticket and MAY reject tickets which have not yet expired. As such, this is really an upper bound on the expiration time for the ticket.

renew-till This field is only present in tickets that have the RENEWABLE flag set in the flags field. It indicates the maximum endtime that may be included in a renewal. It can be thought of as the absolute expiration time for the ticket, including all renewals."

For example : In Windows endtime is governed by 'Maximum lifetime for user ticket" policy and renew-till field is governed by 'Maximum lifetime for user ticket renewal' for which default values are 10 hrs and 7 days respectively.

Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/kerberos-policy

In your case, the same ticket might have been renewed when you reconnect to the remote server, you may verify via Security Event Logs on the Domain Controller (Event ID:4770)

Pls note that TGT are TGS are different types of Kerberos tickets, and you should see the tickets' expiry, renewal,flags etc using klist.

When the user logs off as you point out, all tickets are purged which were used during logged-on time