Experiment: Kerberos Lifetime (including JDBC driver for SQL server)

# Experiment: Kerberos Lifetime (including JDBC driver for SQL server) ###### tags: `work` `experiment` ## Kerberos user commands ### Will ticket renewal reset the renew lifetime? 1. Initialize TGT. ```shell [user@example ~]$ kinit principal@EXAMPLE.COM Password for principal@EXAMPLE.COM: [user@example ~]$ klist Ticket cache: KCM:1000 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/04/23 10:03:06 02/04/23 20:03:06 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/11/23 10:03:02 ``` This TGT: - will expire at 02/04/23 20\:03\:06. - can be renewed before 02/11/23 10\:03\:02. 2. Renew TGT ```shell [user@example ~]$ kinit -R principal@EXAMPLE.COM [user@example ~]$ klist Ticket cache: KCM:1000 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/04/23 10:03:22 02/04/23 20:03:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/11/23 10:03:02 ``` After renewing: - The expire time is changed. - **The renew lifetime doesn't change.** Ans: No. --- ## JDBC driver for SQL server ### Experiment 1: If `userName` and `password` are provided in the JDBC connection string, what will happen if the TGT expires? Connection string: ``` jdbc:sqlserver://{SQL_SERVER_HOST}:1433; database={DB_NAME}; encrypt=true; trustServerCertificate=true; integratedSecurity=true; authenticationScheme=JavaKerberos; userName={KERBEROS_PRINCIPAL}; password={PASSWORD}; ``` Run an application which uses connection pool for DB connection, and check if there're 10 acitve connections by running ([ref](https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-connections-transact-sql?view=sql-server-ver16)) ```sql SELECT * FROM sys.dm_exec_connections; ``` ![](https://i.imgur.com/TiDNsYW.png) Refer to [this document](https://web.mit.edu/kerberos/krb5-devel/doc/user/tkt_mgmt.html), the default ticket lifetime is 10 hours on many systems. Therefore, leave it until next day. Check it again. ![](https://i.imgur.com/T3yIt8F.png) The `connect_time` changed! The interval is about 16 hours. And again, next day. ![](https://i.imgur.com/5f13TMA.png) The interval is about 24 hours. Therefore, by the result of the experiment, I guess the driver will renew the TGT about every 8 hours. But what will happen if the renew lifetime expires? ### Experiment 1.1: What will happen if the renew lifetime expires? 1. The default renew lifetime is 7 days, which is too long for an experiment. Modify the maximum lifetime of the ticket granted by the KDC. Refer to [this document](https://www.ibm.com/docs/en/elm/6.0?topic=encryption-enforcing-algorithms-domain-clients), the Kerberos policy is at Group Policy Management Editor, Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Settings. Set these lifetime to the minimum value. |Policy|Policy Setting| |-|-| |Maximum lifetime for service ticket|10 minutes| |Maximum lifetime for user ticket|1 hours| |Maximum lifetime for user ticket renewal|1 days| ![](https://i.imgur.com/U6mMKHP.png) 2. Initialize a TGT to check the change is effective. ```shell [user@example ~]$ kinit principal@EXAMPLE.COM Password for principal@EXAMPLE.COM: [user@example ~]$ klist Ticket cache: KCM:1000 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/06/23 17:10:02 02/06/23 18:10:02 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/07/23 17:10:02 ``` **Checked!** 3. Run the same application as the previous experiment, and check if the connections exist. ![](https://i.imgur.com/6aqtuJD.png) 4. Wait 1 hour and 1 day. 5. at tomorrow 8:48 AM. ![](https://i.imgur.com/wBtQMH4.png) Seems like the connections were renewed every hour. Wait until 9:48 to verify this assumption. ![](https://i.imgur.com/kQpnqXf.png) The connection were renewed automatically before expired! at tomorrow 05:17 PM (more than 1 day after). ![](https://i.imgur.com/vQ7fA81.png) The connections are still there. ### Experiment 2: If `userName` and `password` aren't provided in the JDBC connection string, what will happen if the TGT expires? 1. The settings of this experiment is the same as experiment 1, except that the connection string doesn't have `userName` and `password`: ``` jdbc:sqlserver://{SQL_SERVER_HOST}:1433; database={DB_NAME}; encrypt=true; trustServerCertificate=true; integratedSecurity=true; authenticationScheme=JavaKerberos; ``` 2. Run `kinit` manually (shorten lifetime to 1 minute), and run `klist` to check the TGT. ```shell [user@example ~]$ kinit -l 2m principal@EXAMPLE.COM Password for principal@EXAMPLE.COM: [user@example ~]$ klist Ticket cache: KCM:1000 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/07/23 10:15:08 02/07/23 10:17:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 02/08/23 10:15:08 ``` 3. Run the same application, check if the connections exist. ![](https://i.imgur.com/6jX5byA.png) 4. Wait 2 minutes. ![](https://i.imgur.com/CFMfZ4L.png) The connection weren't renewed. Maybe it's because the service ticket hasn't expired. Wait until 10\:25:08 (10 minutes after). At 10\:28:14, still aren't renewed. Wait until the default TGT lifetime expired (11\:15:08, 1 hour after). After 1 hour, the connection is no longer available. And the application also throws some exceptions. ![](https://i.imgur.com/eYqVWg4.png) ![](https://i.imgur.com/k8dTgnb.png) Ans: After TGT expired, the connection is no longer available. ### Experiment 3: Does JDBC driver for SQL server renew the TGT? or does it just initialize another new TGT? #### How to test it * **Experiment 3.1**: Check if the modification of passowrd will affect the TGT renewal. 1. Initialize a TGT with principal `principal` with TGT. 2. Modify the password of `principal`. 3. Renew TGT with `kinit -R`. Check if it's passed. 4. Re-initialize TGT with old passord. This step should fail. * **Experiment 3.2**: Check if the modification of passowrd will affect JDBC driver when the TGT expires. 1. Run application with connection string containing `userName` and `password`. 2. Before the TGT expires, modify the password of the principal used for this connection. 3. Wait until the TGT expires, and if 1. the application throws errors, it means the driver is just re-initialize the TGT. 2. the application works fine, and the connections still exist, it means the driver renew the TGT. #### Experiment 3.1 Check if the modification of passowrd will affect the TGT renewal. 1. Initialize a TGT with principal `principal` with TGT. ```shell [user@example ~]$ kinit principal@EXAMPLE.COM Password for principal@EXAMPLE.COM: [user@example ~]$ klist Ticket cache: KCM:1000:875 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/07/23 17:06:40 02/07/23 18:06:40 krbtgt/OA.TEST.COM@OA.TEST.COM renew until 02/08/23 17:06:40 ``` 2. Modify the password of `principal`. 3. Renew TGT with `kinit -R`. Check if it's passed. ```shell [user@example ~]$ kinit -R principal@EXAMPLE.COM [user@example ~]$ klist Ticket cache: KCM:1000:875 Default principal: principal@EXAMPLE.COM Valid starting Expires Service principal 02/07/23 17:07:25 02/07/23 18:07:25 krbtgt/OA.TEST.COM@OA.TEST.COM renew until 02/08/23 17:06:40 ``` **passed!** 4. Re-initialize TGT with old passord. This step should fail. ```shell [user@example ~]$ kinit principal@EXAMPLE.COM Password for principal@EXAMPLE.COM: kinit: Password incorrect while getting initial credentials ``` Conclusion: The modification of passowrd won't affect the TGT renewal. #### Experiment 3.2 1. get current connections ![](https://i.imgur.com/enFnRoS.png) 2. change password. 3. Wait utill the TGT expires. 4. The application throws exceptions, and the connections are gone! ![](https://i.imgur.com/qMJkif4.png) Therefore, what JDBC driver for SQL server does for the TGT lifetime is to **get a new TGT** whenever the TGT is about to expire.