TGT renewal doesn't work when using Krb5TicketCache

[macsux]

Describe the bug
KerberosClient has a feature to refresh expiring TGTs, but this seems to work only for MemoryTicketCache. When using Krb5TicketCache TGT is not getting refreshed.

To Reproduce
Switch cache to Krb5TicketCache

Expected behavior
TGT gets refreshed regardless of ticket cache being used

[SteveSyfuhs]

Fixed with #286. An updated nuget package will be available within a few minutes. Please verify when you get a chance. :)

[macsux]

So now I'm getting this after a while....

   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT       Kerberos.NET.KerberosProtocolException: KDC KRB_AP_ERR_TKT_EXPIRED: Ticket expired
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Kerberos.NET.Transport.KerberosTransportBase.Decode[T](ReadOnlyMemory`1 response) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 70
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Kerberos.NET.Transport.TcpKerberosTransport.ReadResponse[T](NetworkStream stream, CancellationToken cancellation, TimeSpan readTimeout) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 133
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Kerberos.NET.Client.KerberosClient.RenewTicket(String spn) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1078
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at KerberosSidecar.KerberosWorker.RefreshTicketIfExpiring() in C:\projects\KerberosBuildpack\src\KerberosSidecar\KerberosWorker.cs:line 152
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at KerberosSidecar.KerberosWorker.ExecuteAsync(CancellationToken stoppingToken) in C:\projects\KerberosBuildpack\src\KerberosSidecar\KerberosWorker.cs:line 139
   2022-02-18T16:35:21.10-0500 [APP/PROC/WEB/0] OUT          at Microsoft.Extensions.Hosting.Internal.Host.TryExecuteBackgroundServiceAsync(BackgroundService backgroundService)

Here's where it's called from. I know explicit refresh like I'm doing here should technically not be needed anymore, but it should still work shouldn't it?

https://github.com/macsux/kerberos-buildpack/blob/3e71840e578c48d6cb17789ab520aa138b751546/src/KerberosSidecar/KerberosWorker.cs#L144

Code is running on 4.5.155

[SteveSyfuhs]

Your logic isn't quite right. The cache as you're querying it will return any ticket expired or not. As such you can absolutely have a TGT in the cache that is past its expiration, but before it's renewtill date. If you're going to be doing something like that then you need to check tgt.EndTime < DateTimeOffset.UtcNow.

[macsux]

But it shouldn't matter as your lib has a background timer thread that is supposed to keep ticket alive regardless of this call. The fact that it expired means that logic wasn't keeping tgt alive

…

On Thu., Feb. 24, 2022, 2:53 a.m. Steve Syfuhs, ***@***.***> wrote: Your logic isn't quite right. The cache as you're querying it will return any ticket expired or not. As such you can absolutely have a TGT in the cache that is past its expiration, but before it's renewtill date. If you're going to be doing something like that then you need to check tgt.EndTime < DateTimeOffset.UtcNow. — Reply to this email directly, view it on GitHub <#285 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAINFWAO4XVX2G3D2ANZCGLU4XPV3ANCNFSM5NM7OTUQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>