MIT Kerberos for Windows failing with Windows 10 update 1803?
Benjamin Kaduk
kaduk at mit.edu
Sun Jun 17 21:55:56 EDT 2018
On Sun, Jun 17, 2018 at 04:35:50PM -0400, Greg Hudson wrote:
> On 06/17/2018 02:02 PM, Ruurd Beerstra wrote:
> > The symptoms are that I can obtain a TGT from my KDC (which ends up in
> > de LSA of Windows), but every attempt to use that TGT to obtain a
> > service ticket yields an error:
> > Matching credential not found.
>
> Unfortunately, our mailing list server doesn't pass through attachments,
> so while I briefly saw your screenshots before moderating through your
> message, they didn't make it to the list (and I didn't keep a copy.)
>
> I believe the correct short answer is to use the "API:" ccache instead
> of the "MSLSA:" ccache for this setup.
>
> For some time Windows has restricted access to TGT session keys in the
> LSA, which means our libkrb5 code can't use a TGT from the LSA to get
> service tickets. Instead, our MSLSA ccache type requests service
> tickets via Windows, but that only works if the realm is set up in the
> LSA configuration. Since you are using an MIT krb5 KDC, I am guessing
> that it is not set up in the LSA configuration, so we fall back to
> trying to get service tickets using the TGT.
Does this mean that you think setting the appropriate entries under
SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains would resolve
the issue?
-Ben
More information about the Kerberos
mailing list