On Sun, Jun 17, 2018 at 04:35:50PM -0400, Greg Hudson wrote: > On 06/17/2018 02:02 PM, Ruurd Beerstra wrote: > > The symptoms are that I can obtain a TGT from my KDC (which ends up in > > de LSA of Windows), but every attempt to use that TGT to obtain a > > service ticket yields an error: > > Matching credential not found. > > Unfortunately, our mailing list server doesn't pass through attachments, > so while I briefly saw your screenshots before moderating through your > message, they didn't make it to the list (and I didn't keep a copy.) > > I believe the correct short answer is to use the "API:" ccache instead > of the "MSLSA:" ccache for this setup. > > For some time Windows has restricted access to TGT session keys in the > LSA, which means our libkrb5 code can't use a TGT from the LSA to get > service tickets. Instead, our MSLSA ccache type requests service > tickets via Windows, but that only works if the realm is set up in the > LSA configuration. Since you are using an MIT krb5 KDC, I am guessing > that it is not set up in the LSA configuration, so we fall back to > trying to get service tickets using the TGT.
Does this mean that you think setting the appropriate entries under SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains would resolve the issue? -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos