[External] : Re: Windows Credential Guard with MSLSA
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Sep 7 09:30:42 EDT 2023
>Windows Credential Guard cannot be used on Linux. However the service
>that Windows Credential Guard is protecting, a database service
>running on Linux in this case, whether there is a way to retrieve the
>credentials protected by Windows Credential Guard without using GSSAPI
So I was mildly curious and I did some more digging. Here's what I
believe to be true, with the caveat I am not that experienced in the
details and I might be wrong (and I would appreciate any corrections
where I get things wrong):
- The MIT Kerberos 5 libraries do have native support for doing S4U2proxy
which I believe is the protocol you want to use.
- The specific details here is you need to send an "evidence ticket"
from the client to the server (which in test example I see is just
the complete ASN.1-encoded Kerberos service ticket for the database
server), the application server (the database service running on the
Linux system), the database service would call krb5_decode_ticket()
and krb5_server_decrypt_ticket_keytab() to get the the decrypted
ticket contents, and then call krb5_get_credentials_for_proxy() to
make the actual S4U2Proxy request (the database server will also have
to have a TGT for itself).
- I'm actually a little unclear how you'd do the "send a raw ticket
from the client to the server" inside of the GSSAPI. I suspect it
is possible but the MIT documentation just talks about the application
server API pieces.
- As I mentioned previously, this would require client-server protocol
rework AND significant changes on the database server side. If we
are talking about Oracle (just a guess based on your email address)
I was under the impression that Oracle includes a very old copy of MIT
Kerberos internally; if that is still the case then this would also
require the Kerberos implementation inside of Oracle to be updated
to something much newer.
- From what others have said, there is essentially no way to get out
a TGT from the MSLSA credential cache when using Windows Credential
Guard.
--Ken
More information about the krbdev
mailing list