MIT Kerberos for Windows failing with Windows 10 update 1803?

Greg Hudson ghudson at mit.edu
Sun Jun 17 16:35:50 EDT 2018


On 06/17/2018 02:02 PM, Ruurd Beerstra wrote:
> The symptoms are that I can obtain a TGT from my KDC (which ends up in
> de LSA of Windows), but every attempt to use that TGT to obtain a
> service ticket yields an error:
> Matching credential not found.

Unfortunately, our mailing list server doesn't pass through attachments, 
so while I briefly saw your screenshots before moderating through your 
message, they didn't make it to the list (and I didn't keep a copy.)

I believe the correct short answer is to use the "API:" ccache instead 
of the "MSLSA:" ccache for this setup.

For some time Windows has restricted access to TGT session keys in the 
LSA, which means our libkrb5 code can't use a TGT from the LSA to get 
service tickets.  Instead, our MSLSA ccache type requests service 
tickets via Windows, but that only works if the realm is set up in the 
LSA configuration.  Since you are using an MIT krb5 KDC, I am guessing 
that it is not set up in the LSA configuration, so we fall back to 
trying to get service tickets using the TGT.

The TGT session key restriction can be overridden by the registry value 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey, 
which I believe our installer sets.  I would not be surprised if update 
1803 disables this registry value so that the restriction is always in 
effect.

I have also heard that Microsoft plans to disable access to service 
ticket session keys from userspace, effectively preventing KfW from 
using the LSA ccache.  I don't know if that restriction is present in 
update 1803, and I believe it only applies if Credential Guard is 
enabled.  (I don't know what determines whether Credential Guard is 
enabled.)  We could conceivably work around this restriction in the 
GSSAPI library by getting context establishment tokens via SSPI instead 
of via our krb5 code, but I can't make any promises as to when that 
might be implemented.  I don't believe this is the restriction at issue 
in your test setup anyway.


More information about the Kerberos mailing list