Kerberos.NET
Kerberos.NET copied to clipboard
dotnet
TGT renewal doesn't work when using Krb5TicketCache
Describe the bug
KerberosClient has a feature to refresh expiring TGTs, but this seems to work only for MemoryTicketCache. When using Krb5TicketCache TGT is not getting refreshed.
To Reproduce
Switch cache to Krb5TicketCache
Expected behavior TGT gets refreshed regardless of ticket cache being used
Fixed with #286. An updated nuget package will be available within a few minutes. Please verify when you get a chance. :)
So now I'm getting this after a while....
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT Kerberos.NET.KerberosProtocolException: KDC KRB_AP_ERR_TKT_EXPIRED: Ticket expired
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Kerberos.NET.Transport.KerberosTransportBase.Decode[T](ReadOnlyMemory`1 response) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 70
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Kerberos.NET.Transport.TcpKerberosTransport.ReadResponse[T](NetworkStream stream, CancellationToken cancellation, TimeSpan readTimeout) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 133
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Kerberos.NET.Client.KerberosClient.RenewTicket(String spn) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1078
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at KerberosSidecar.KerberosWorker.RefreshTicketIfExpiring() in C:\projects\KerberosBuildpack\src\KerberosSidecar\KerberosWorker.cs:line 152
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at KerberosSidecar.KerberosWorker.ExecuteAsync(CancellationToken stoppingToken) in C:\projects\KerberosBuildpack\src\KerberosSidecar\KerberosWorker.cs:line 139
2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)
Here's where it's called from. I know explicit refresh like I'm doing here should technically not be needed anymore, but it should still work shouldn't it?
https://github.com/macsux/kerberos-buildpack/blob/3e71840e578c48d6cb17789ab520aa138b751546/src/KerberosSidecar/KerberosWorker.cs#L144
Code is running on 4.5.155
Your logic isn't quite right. The cache as you're querying it will return any ticket expired or not. As such you can absolutely have a TGT in the cache that is past its expiration, but before it's renewtill date. If you're going to be doing something like that then you need to check tgt.EndTime < DateTimeOffset.UtcNow.
But it shouldn't matter as your lib has a background timer thread that is supposed to keep ticket alive regardless of this call. The fact that it expired means that logic wasn't keeping tgt alive
On Thu., Feb. 24, 2022, 2:53 a.m. Steve Syfuhs, @.***> wrote:
Your logic isn't quite right. The cache as you're querying it will return any ticket expired or not. As such you can absolutely have a TGT in the cache that is past its expiration, but before it's renewtill date. If you're going to be doing something like that then you need to check tgt.EndTime < DateTimeOffset.UtcNow.
— Reply to this email directly, view it on GitHub https://github.com/dotnet/Kerberos.NET/issues/285#issuecomment-1049583574, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAINFWAO4XVX2G3D2ANZCGLU4XPV3ANCNFSM5NM7OTUQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>