[krbdev.mit.edu #9127] Behavior of API krb5_get_credentials vary
Dipen Patel via RT
rt-comment at kerborg-prod-app-1.mit.edu
Fri Jun 7 12:38:04 EDT 2024
Fri Jun 07 12:38:04 2024: Request 9127 was acted upon.
Transaction: Ticket created by Dipen.Patel at ibm.com
Queue: krb5
Subject: Behavior of API krb5_get_credentials vary
Owner: Nobody
Requestors: Dipen.Patel at ibm.com
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9127 >
On Windows 11,If credential guard is on and Kerberos credential cache is stored in MSLSA then behavior of API krb5_get_credentials vary
Scenario1: credential guard value as below
result of powershell command
PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
2
PS C:\Users\DipenPatel>
For this scenario API krb5_get_credentials with kerberos credential cache returns '0' as expected.
Scenario2: credential guard value as below
result of powershell command
PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
PS C:\Users\DipenPatel>
For this scenario API krb5_get_credentials with kerberos credential cache returns '1'. with error 'KRB5_CC_NOTFOUND'
NOTE:- Windows document link to Verify if Credential Guard is enabled as below.
"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg"
More information about the krb5-bugs
mailing list