Configuration
- For users that are enrolled in TruU, they will get their Kerberos realm from the NT Principle name that is in the smart card certificate.
- Administrators can configure their ticket lifetimes on the KDC or via the KRB5.conf file.
- TruU does not alter or participate in any of this configuration setup.
Obtaining a Kerberos Ticket
- TruU uses the smart card certificate to passwordlessly authenticate WHILE obtaining a Kerberos ticket.
-
If Kerberos is not disabled in the config file, TruU will try to obtain a Kerberos ticket following several different scenarios:
- Following successful user enrollment
- When the user logs in
- When the system wakes from sleep state
- When the network changes
- NOTE: network connectivity to the domain controller is required to successfully obtain the Kerberos ticket.
Renewing a Kerberos Ticket
- TruU will try to renew a Kerberos ticket immediately following the expiration of the current ticket.
- If TruU is unseccessful in renewing the Kerberos ticket at first, it will continue to try once a minute until there is network connectivity to the DC and it’s status reads “successful”
Miscellaneous
- If you manually destroy a kerberos ticket with kdestroy, you will have to either log out/login the user OR restart the system to have TruU begin requesting a new Kerberos ticket for the user.
- NOTE: If the user logs out or tries to restart the system, their old tickets will be destroyed.
Biometric Permission How to Disable Password Login on Windows