MIT Kerberos for Windows failing with Windows 10 update 1803?
Benjamin Kaduk
kaduk at mit.edu
Mon Jun 18 17:40:29 EDT 2018
On Mon, Jun 18, 2018 at 05:31:33PM -0400, Greg Hudson wrote:
> On 06/18/2018 12:25 PM, Ruurd Beerstra wrote:
> > I probably should have mentioned I tried setting the ccache type to
> > "FILE", and that didn't work either.
>
> Just "FILE"? You need to set it to "FILE:pathname" for some pathname.
>
> I don't have a hypothesis to explain why "API:" wouldn't work. I
> updated a Windows 10 VM to 1803 and installed the kfw 4.1 MSI. With the
> API: ccache type I was able to acquire tickets, renew tickets, acquire
> service tickets using kvno, and see the acquired service ticket with klist.
>
> With the MSLSA: ccache type it does seem like I can't access the TGT
> session key. I can acquire a TGT and can view it in the graphical
> ticket manager (but not with klist; not sure why). Renewing the TGT
I think the magic there is at
https://github.com/krb5/krb5/blob/master/src/windows/leash/KrbListTickets.cpp#L201
> doesn't appear to work, although I only see an error message if I run
> "kinit -R" from the command line (same error as you saw, "Matching
> credential not found"); with the graphical ticket manager it seems to
> silently fail. I can obtain a service ticket and view that with klist,
> but from tracing output it is clear that that is happening through the
> LSA (which is probably able to find the realm I'm testing against using
> SRV records in DNS).
My recollection was that you needed something in the registry (at
the path I mentioned in my previous mail) even to get the LSA to
look for SRV records. (Do I know what realm you're testing with?)
IIRC the KfW installer does prepopulate KDC entries for a couple of
realms, as an example if nothing else.)
-Ben
> > A quick search on Credential Guard says: The Windows Defender Credential
> > Guard prevents these attacks by protecting NTLM password hashes,
> > Kerberos Ticket Granting Tickets, and credentials stored by applications
> > as domain credentials.
>
> To be clear, my uncomfirmed hypothesis is that update 1803 made the
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey
> registry variable inoperable, with or without Credential Guard. An
> additional restriction on access to service ticket session keys does not
> seem to match the errors you're seeing.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list