MIT Kerberos for Windows failing with Windows 10 update 1803?

Ruurd Beerstra ruurdb at wxs.nl
Tue Jun 19 15:51:05 EDT 2018 

OK, I'm confused now....
2 days ago I tried FILE: by editing krb5.ini and setting default_cc_name 
to FILE:c:/tmp/krb5cc_${uid}
I saw it uses the SID for my user as part of the filename in c:/tmp.
I SAW the file being made, and it STILL refused to work the way it 
should. The ticket manager showed "FILE:.." in the "Credential cache" 
column.
I tried your API suggestion last night, saw "API: Initial default cache: 
in the ticket manager and it still did not work.

Then I tried again tonight, by using "kvno" to acquire a ticket. And all 
of  sudden, the host service ticket appears in the ticket manager!
Fire up IVT: It uses the ticket and logs in with Kerberized telnet and 
GSSAPI-over-SSH like it should.
Destroy the TGT and other tickets, restart IVT: It pops up the ticket 
manager, I type the proper password, tickets are acquired: Everything works.
No clue as to why it started working all of a sudden, but I'm happy!

So I wanted to go through the proper steps again so I could document it 
in IVT in case a user runs into this issue.
I change the krb5.ini file back to the default empty:
  Directory of C:\ProgramData\MIT\Kerberos5

19-06-2018  21:03    <DIR>          .
19-06-2018  21:03    <DIR>          ..
19-06-2018  21:04                 0 krb5.ini
                1 File(s)              0 bytes

Start the "MIT kerberos.exe", get a TGT: The Credential cache" still 
shows "API: Initial default ccache". Huh? Why does it not go back to MSLSA?
Reboot. No difference. API.
Search Registry for things called MIT and/od ccache: Found nothing relevant.
Search file system for things called krb5.ini: Nothing relevant.

So now it keeps working despite everything I try to break it. 
Admittedly, progress is made, but I want to understand what happens here!

Can someone here point me in the right direction?
Where am I supposed to configure MSLSA if I want to force the problem again?
Where does it store the current API setting?
What did I do wrong the time I tried the FILE: setting?

     Help very much appreciated,
     Ruurd



Op 18-6-2018 om 23:31 schreef Greg Hudson:
> On 06/18/2018 12:25 PM, Ruurd Beerstra wrote:
>> I probably should have mentioned I tried setting the ccache type to
>> "FILE", and that didn't work either.
>
> Just "FILE"?  You need to set it to "FILE:pathname" for some pathname.
>
> I don't have a hypothesis to explain why "API:" wouldn't work.  I 
> updated a Windows 10 VM to 1803 and installed the kfw 4.1 MSI. With 
> the API: ccache type I was able to acquire tickets, renew tickets, 
> acquire service tickets using kvno, and see the acquired service 
> ticket with klist.
>
> With the MSLSA: ccache type it does seem like I can't access the TGT 
> session key.  I can acquire a TGT and can view it in the graphical 
> ticket manager (but not with klist; not sure why). Renewing the TGT 
> doesn't appear to work, although I only see an error message if I run 
> "kinit -R" from the command line (same error as you saw, "Matching 
> credential not found"); with the graphical ticket manager it seems to 
> silently fail.  I can obtain a service ticket and view that with 
> klist, but from tracing output it is clear that that is happening 
> through the LSA (which is probably able to find the realm I'm testing 
> against using SRV records in DNS).
>
>> A quick search on Credential Guard says: The Windows Defender Credential
>> Guard prevents these attacks by protecting NTLM password hashes,
>> Kerberos Ticket Granting Tickets, and credentials stored by applications
>> as domain credentials.
>
> To be clear, my uncomfirmed hypothesis is that update 1803 made the 
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey 
> registry variable inoperable, with or without Credential Guard.  An 
> additional restriction on access to service ticket session keys does 
> not seem to match the errors you're seeing.
>

More information about the Kerberos mailing list