Working with Microsoft Premier Support RE MIT Kerberos for Windows 4.0.1

Thu Oct 15 08:57:49 EDT 2015

Please direct me to  the resources that can answer the following:

*       We have an open case with MS Premier Support and Kerberos for Windows 4.0.1 states "Integration with the Windows LSA credentials cache"

*       We are using .NET webclient and can't seem to get the client to use the tickets in the cache.   Tickets are stored in the location specified by environment variable

*       See support case below

From: Frank Kim [mailto:Frank.Kim at microsoft.com]
Sent: Thursday, October 15, 2015 1:59 AM
To: Binder, Dale
Cc: MSSolve Case Email; Shmain, Jeffrey
Subject: RE: Kerberos issues -> RE: [REG:115100513230017] Clarify the account infrastructure.

Hi Dale,

In regards to the code below, the .NET code will not know anything about the location of the MIT tickets at:

C:\Users\nbkvw7l\KerberosCacheFile\krb5cache

Kerberos tickets in Windows are stored in LSASS.exe.   Internally, .NET uses the SSPI APIs to implement Kerberos.  You pass the user's credentials to SSPI by calling AcquireCredentialsHandle().  AcquireCredentialsHandle() obtains this in LSASS.exe as well.  Internally, SSPI is implemented using the LSA APIs which are used to interface with LSASS.exe.

The reason I have suggested using the MIT GSS APIs is because they would be aware of the krb5cache.  I am going to assume that Java uses the MIT GSS APIs which is why things work for you.

I've read some of the docs on MIT Kerberos which indicate they store their credentials in LSA's cache for 4.0.0.  Here is the link I referenced.

http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html
They mention the following, "Integration with the Windows LSA credentials cache."
They don't elaborate on what this means so you would need somebody familiar with this project to address the true meaning of this.  If the following call:

GetTGT()

If this associated the MIT ticket with the current user.

The only option I could see is the following:

credentialCache.Add(new Uri("http://lpnoe0vupotd1i.bankofamerica.com:20550/"), "Kerberos", CredentialCache.DefaultNetworkCredentials);

I'm not sure if you have tried this.

The other code below will not work just for the fact that .NET doesn't know anything about MIT Kerberos and it's tickets.  It only know about Kerberos Tickets created by Windows and stored in LSASS.  This is why you have to use the specific GSS APIs provided by MIT.

Finally about 20 years ago, Microsoft did create a GSS API whose interface was compatible with GSS APIs from MIT.   What this meant was that you could take an application written on Linux and rebuild it on Windows to run in the POSIX subsystem.  This is what they meant by GSS API compatibility.  The interface was compatible so a Linux developer did not have to rewrite their code to use SSPI.  (Internally, the GSS API offered by Microsoft was just a wrapper around SSPI).

Thanks

Frank Kim (frank.kim at microsoft.com<mailto:frank.kim at microsoft.com>)
Sr. Escalation Engineer
Developer Tools - Windows SDK

+1 (425) 538 0692
Typical Hours - 8:30 - 17:30
(UTC-08:00) Pacific Standard Time (US & Canada)
Meeting and exceeding your expectations are my top priorities.  We are interested in any feedback you might have about the service you received on this incident.  Please let my manager, John Hornick, know what you think of the level of service provided; email John.Hornick at microsoft.com<mailto:John.Hornick at microsoft.com>, or even call 425-538-0721

Dale Binder
Develop and Manage
Cyber Security Technology
Global Information Security

Bank of America
40 N Main Street
Dayton, OH 45423
937.938.1138 (work)
937.438.3507 (cell)
[cid:image001.jpg at 01CC42B3.9D534100]

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.