Using Identity Manager, the Ticket Manager for Windows

Kerberos ticket manager software is designed to manage authentication (identity verification) across multiple online services that recognize the Kerberos protocol. To learn more, see "Getting Started in a Kerberized Environment," and "Kerberos Tickets and How They Work."

This document provides instructions for:

• Starting the Kerberos Ticket Manager software

• Getting a Kerberos Ticket

• Renewing a Kerberos Ticket

• Destroying a Kerberos Ticket

• Quitting the Kerberos Application

• Changing your Kerberos/PennKey Password
  

Starting the Kerberos for Windows Ticket Manager software

To start the Ticket Manager software, select the Ticket Manager program Windows Identity Manager from the Start menu under Programs - Kerberos Utilities. The Identity Manager dialog box will be displayed.

Getting a Kerberos Ticket

You will need to obtain a Kerberos Ticket-Granting Ticket (TGT), or "master ticket," only once per computing session. By default, this ticket is valid for ten hours. You will need to get a new ticket after restarting or logging out on your machine, after destroying existing tickets, or if you allow a ticket to expire.

To obtain a Kerberos ticket:

1. Start the Identity Manager application. A window is displayed with No Tickets/Tokens listed.

2. Choose Action from the menu bar, then select Get Ticket(s) from the pulldown menu.

3. When the Initialize Ticket window appears, enter your PennKey, then click the OK button.

4. Type your password and then click the OK button.
   
   Note: Kerberos passwords are case-sensitive. No text will appear, nor will you see any cursor movement in the password box as you type your password.

5. When your PennKey and password are successfully authenticated, you will be given a Kerberos ticket-granting ticket (TGT). In the Identity Manager application window you will see the Kerberos icon followed by your Kerberos username. Click on the plus sign to the left of your Kerberos username to see your current tickets.
   
   Note: The current version of Identity Manager displays your active tickets in both Version 4 and Version 5 of Kerberos. Since we will be using Version 5 at Penn, you will notice that the wide ticket labeled "Version Four Kerberos" is grey in color. This color signifies inactivity. The color codes for the wide tickets can help you determine the status of your Kerberos session:
   
          grey = no active tickets
          green = active tickets with over 15 minutes remaining
          yellow = active tickets which will expire within 15 minutes
          red = expired ticket

6. Close (or minimize) the Leash32 window / application.
   
   Important Note: Exiting Leash32 does not automatically destroy your existing tickets. Your Kerberos ticket gives you, or anyone who uses your computer, access to all Kerberized campus services to which you have access. Do not leave your computer without manually destroying your Kerberos tickets.

Renewing a Kerberos Ticket

1. Open the Identity Manager application.

2. Choose Action from the menu bar, then select Renew Ticket(s) from the pulldown menu.

3. The Initialize Ticket window appears. In the text field under Enter your username, the current primary user's full Kerberos principal (e.g. "janedoe@UPENN.EDU") should appear. Click the OK button to accept, or simply enter the PennKey of another user to change the username.
4. A new, blank text field appears under Enter your password. Enter your password and click the OK button to the right.
5. If your renewal is successful, the remaining time listed in the Kerb-5 Ticket Life status area in the lower right corner of the Leash32 window will have increased to the length of a full new session.

Destroying a Kerberos Ticket

To prevent others from using your account information from your computer, be sure to destroy any Kerberos tickets before leaving your computer. You will need to obtain new tickets to gain access using Kerberized clients.

To destroy your tickets:

1. Open the Identity Manager application.

2. Choose Action from the menu bar, then select Destroy Ticket(s) from the pulldown menu.

3. Leash32 warns you that it will destroy your tickets. Click the OK button.

4. Confirm that you have no tickets by looking at the Identity Manager list window. A minus sign should appear to the left of your Kerberos username.

Note: You cannot selectively destroy some tickets while preserving others. Destroying tickets is an "all-or-nothing" action.

Quitting the Ticket Manager

To quit the Ticket Manager, select Exit from the File menu.

Important Note: Exiting Identity Manager does not automatically destroy your existing tickets. Your Kerberos ticket gives you, or anyone who uses your computer, access to all Kerberized campus services to which you have access. Do not leave your computer without manually destroying your Kerberos tickets.

Changing Your Kerberos/PennKey Password

To change your Kerberos/PennKey password:

1. Open the application.

2. Choose Action from the menu bar, then select Change Password from the puldown menu.

3. Enter your PennKey, then click the OK button.

4. Type your old password. Click the OK button.

5. Type your new password. Click the OK button.

6. Type your new password again to confirm you typed it correctly the first time. Click the OK button.
   
   Your Kerberos/PennKey password is now changed.