MIT Kerberos client and default cache
Benjamin Kaduk
kaduk at mit.edu
Tue Oct 16 13:55:15 EDT 2018
On Tue, Oct 16, 2018 at 09:40:42AM +0200, Pierre Dehaen wrote:
> Hello list,
>
> Configuration:
> - Windows are clients of an AD
> - Kfw 4.1 is used to acquire tickets from another realm
> - Clients use tickets through Firefox to access apache applications
> - All working well
>
> In the Kfw GUI, next to the TGT of the additional realm, we see the TGT of the AD. The
> former shows API: as credential cache, while the later shows MSLSA:, all good.
>
> According to <https://mailman.mit.edu/pipermail/kerberos/2015-April/020637.html>: Once
> you have a ticket, the "make default" button will set the registry entry for you.
>
> That is the problem: once a user has clicked "Make default" while the AD ticket was by
> chance selected, only one TGT can be acquired at a time, each Get Ticket overwrites all
> existing tickets.
>
> Okay, I can fix this in the registry... but users can't, that's too difficult/risky, and I don't find a
> way to revert to the default credential cache from the GUI. Even the "Make default" trick does
> not work anymore as all tickets are MSLSA tickets.
>
> Any advice?
Sadly, this is a "patches welcome" moment -- the issue has been known for
several years but has not been a development priority. The best workaround
would be to clear the registry entry (and presumably you could prepare a
script/standalone tool to clear this specific registry key, that would be
safe for exposure to end users).
-Ben
More information about the Kerberos
mailing list