User Token Expires When You Log on by Using a Smart Card for a Long Time (323931)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000
This article was previously published under Q323931

SUMMARY

If you log on to your computer by using a smart card, you may receive a prompt to refresh your credentials if you remain logged on for a long time.

MORE INFORMATION

Background

When a user logs on using a smart card, Kerberos grants the user a ticket granting ticket (TGT). With the TGT, the user can acquire tickets to access other resources on the network without typing any credentials. The TGT lasts for a fixed amount of time. At the end of this lifetime, the user must refresh it. To do so, the user must supply credentials by logging on. When you log on, the TGT is automatically updated. When Windows determines that the user has an expired TGT, an icon and a message appear on the taskbar of the user's computer. The message informs the user to update their credentials.

TGT Refresh

The TGT has a default lifetime of 10 hours. If a user is logged on for more than 10 hours, the TGT expires and the user must refresh the TGT. If the smart card is in the reader, the TGT is refreshed. If the smart card is not in the reader, the TGT is not refreshed and all later attempts to access the network fail. To work around this behavior, the user must log off, and then log on to the computer to get a new TGT.

TGT Renewal in Windows XP and Windows 2000 SP2 and Later

By default, the TGT has a default lifetime of 10 hours, but the user can renew it for up to 7 days. The renewal does not require credentials. The renewal occurs only if the user uses the TGT within 5 minutes of its expiration. Otherwise the TGT expires and the user must refresh it (which requires credentials).

TGT Renewal in Windows Server 2003

By default, the TGT has a default lifetime of 10 hours, but the user can renew it for up to 7 days. The renewal does not require credentials. The renewal occurs by using a scavenger thread on the computer. If the user cannot renew the TGT, it expires and the user must refresh it (which requires credentials).

Cached Credentials

If the user logs on with cached credentials, the user cannot refresh the TGT by unlocking (even without cached credentials, unlocking does not reliably refresh the TGT on Windows 2000). Otherwise, the user can refresh the TGT by unlocking and by re-inserting the card.
Modification Type:MajorLast Reviewed:6/6/2003
Keywords:kbinfo KB323931
©2002 Microsoft Corporation. All rights reserved.