Kerberos delegation on Windows

Benjamin Kaduk kaduk at MIT.EDU
Fri Apr 3 17:11:32 EDT 2015


On Fri, 3 Apr 2015, Jade Koskela wrote:

> Hello all,
>
> I would like to use gss_store_cred_into, or some similar method, to store a
> delegated TGT into the Windows LSA cache. I tried this using Kerberos API,
> GSSAPI, but wasn't successful. I also just tried kinit -c MSLSA:. In all
> cases, when the credential for the delegated user was stored in the LSA,
> the credential cache was purged of all of the tickets for the original
> user, and new tickets were stored.
> Is there any way to store tickets from multiple users in the LSA via
> Kerberos or GSSAPI?

To clarify slightly more on what was mentioned in IRC (and get the answer
in the archives), libkrb5 (and thus the GSS interfaces) assume that the
MSLSA: cache type can only contain credentials for one client principal at
a time.  As such, trying to add new credentials using one of those
routines will have the effect of overwriting any existing credentials [for
a different client principal].

This restriction is probably not inherent to the Windows LSA itself, as
the KerbSubmitTicketMessage seems to allow submitting a ticket for a
different client principal, but I have not done any experimentation in
this area.  (It is possible that software trying to use the LSA cache
would get very confused when presented this situation, for example.)

-Ben Kaduk


More information about the Kerberos mailing list