MIT Kerberos for Windows failing with Windows 10 update 1803?

Ruurd Beerstra ruurdb at wxs.nl
Sun Jun 17 14:02:47 EDT 2018


Hi,

I'm developer of a Windows SSH/Telnet  client (called IVT) that supports 
both GSSAPI authentication and Kerberized telnet.
I've noticed that the setup I use for regression testing now finds 
errors for both protocols: Login fails.

After a lot of digging, I'm suspecting Windows 10 privacy update (1803) 
that was pushed to my development workstation a short while ago.

The symptoms are that I can obtain a TGT from my KDC (which ends up in 
de LSA of Windows), but every attempt to use that TGT to obtain a 
service ticket yields an error:
Matching credential not found.

When I install a copy of the software on a Windows 7 Virtual Box machine 
(same network, same KDC, same user/principal, same IVT version, same 
Kerberos for Windows version 4.1, etc) it works flawlessly.
I was about to go single stepping through my code to find the problem, 
but when I woke the PC to start work on that, I noticed that the MIT 
software itself has the same problem!
This popup appeared:



So that is Kerberos for Windows trying to refresh my credentials and 
running into the very same error.
Apparently it cannot access the TGT either.

I found this article 
https://www.csoonline.com/article/3253899/windows/the-best-new-windows-10-security-features.html
about all sorts of new security features in Windows 10 and that sounds 
like Microsoft may have changed something that breaks Kerberos?

When I use a sniffer on my network I can see that there is no 
communication between my Telnet client and the KDC when it is supposed 
to request a ticket for the host I'm logging in to.
So there is no error logged on the KDC either (I jusyt see an entry when 
I login to get my TGT).

Some details about the environment:
- KDC is MIT version krb5-1.16.1
- kfw-4.1-amd64.msi, freshly (re)installed
- Target is a Linux box with a ktelnetd on it, but all that does is 
saying "DO AUTH" and then when I try to get a ticket it fails.
- PC is Windows 10 Home edition, version 1803 build 17134.112

Everything worked until about two weeks ago (1803 was installed on 5th 
of June).

I can get my TGT:

but that is all I ever see, no tickets for the host I'm trying to login to.

Insights very much appreciated, please reply to ruurdb at wxs.nl.

     Regards,
     Ruurd Beerstra






More information about the Kerberos mailing list