On 06/17/2018 02:02 PM, Ruurd Beerstra wrote: > The symptoms are that I can obtain a TGT from my KDC (which ends up in > de LSA of Windows), but every attempt to use that TGT to obtain a > service ticket yields an error: > Matching credential not found.
Unfortunately, our mailing list server doesn't pass through attachments, so while I briefly saw your screenshots before moderating through your message, they didn't make it to the list (and I didn't keep a copy.) I believe the correct short answer is to use the "API:" ccache instead of the "MSLSA:" ccache for this setup. For some time Windows has restricted access to TGT session keys in the LSA, which means our libkrb5 code can't use a TGT from the LSA to get service tickets. Instead, our MSLSA ccache type requests service tickets via Windows, but that only works if the realm is set up in the LSA configuration. Since you are using an MIT krb5 KDC, I am guessing that it is not set up in the LSA configuration, so we fall back to trying to get service tickets using the TGT. The TGT session key restriction can be overridden by the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey, which I believe our installer sets. I would not be surprised if update 1803 disables this registry value so that the restriction is always in effect. I have also heard that Microsoft plans to disable access to service ticket session keys from userspace, effectively preventing KfW from using the LSA ccache. I don't know if that restriction is present in update 1803, and I believe it only applies if Credential Guard is enabled. (I don't know what determines whether Credential Guard is enabled.) We could conceivably work around this restriction in the GSSAPI library by getting context establishment tokens via SSPI instead of via our krb5 code, but I can't make any promises as to when that might be implemented. I don't believe this is the restriction at issue in your test setup anyway. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos