MIT Kerberos for Windows failing with Windows 10 update 1803?
Greg Hudson
ghudson at mit.edu
Sun Jun 17 16:35:50 EDT 2018
On 06/17/2018 02:02 PM, Ruurd Beerstra wrote:
> The symptoms are that I can obtain a TGT from my KDC (which ends up in
> de LSA of Windows), but every attempt to use that TGT to obtain a
> service ticket yields an error:
> Matching credential not found.
Unfortunately, our mailing list server doesn't pass through attachments,
so while I briefly saw your screenshots before moderating through your
message, they didn't make it to the list (and I didn't keep a copy.)
I believe the correct short answer is to use the "API:" ccache instead
of the "MSLSA:" ccache for this setup.
For some time Windows has restricted access to TGT session keys in the
LSA, which means our libkrb5 code can't use a TGT from the LSA to get
service tickets. Instead, our MSLSA ccache type requests service
tickets via Windows, but that only works if the realm is set up in the
LSA configuration. Since you are using an MIT krb5 KDC, I am guessing
that it is not set up in the LSA configuration, so we fall back to
trying to get service tickets using the TGT.
The TGT session key restriction can be overridden by the registry value
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey,
which I believe our installer sets. I would not be surprised if update
1803 disables this registry value so that the restriction is always in
effect.
I have also heard that Microsoft plans to disable access to service
ticket session keys from userspace, effectively preventing KfW from
using the LSA ccache. I don't know if that restriction is present in
update 1803, and I believe it only applies if Credential Guard is
enabled. (I don't know what determines whether Credential Guard is
enabled.) We could conceivably work around this restriction in the
GSSAPI library by getting context establishment tokens via SSPI instead
of via our krb5 code, but I can't make any promises as to when that
might be implemented. I don't believe this is the restriction at issue
in your test setup anyway.
More information about the Kerberos
mailing list