Gssapi Caching / Timeouts when not connected to AD

[chr78]

Hey there,
we have an intranet website based on apache, mod_auth_gssapi and sso via krb5 auth (MS AD). The webserver is accessible via public IP, but the connection between client-Browser - AD is only accessible via VPN.

So automatic authentication works only if connected via VPN.

When disconnected to VPN, it seems the web-authentication is still valid for a few minutes (5?) and re-authenticates again when reloading the website wihin this time. After the timeout, you have to reconnect to VPN.
Anyone knows how to change this timeout?

[simo5]

Sounds like a client behavior issue.
Generally tickets are valid for hours. I wounder if it is some AD setting, or some DNS related issue.
Does the name of the service change when on or off VPN ?

[chr78]

You mean the web-Service? The name/url is the same.