question on calling lsalogonuser using tickets generated by mit kerberos abhisi at
Thu Sep 8 21:07:54 EDT 2011

Hi All

I am trying to use
MIT Kerberos ticket(that was received from a windows KDC) for SSO on Windows. I
am performing the following steps to achieve that:

1. Generate TGT and TGS(host service ticket) on Linux using mit kerberos for a
remote windows machine from a windows KDC.Using kinit ->we
get a TGT(with forwarded flag) + TGS(host\windows machine name).

2. Copy the TGT and service ticket to Windows computer.

3. Read the MIT Kerberos TGT and service ticket and use them in Windows API
LsaLogonUser with KERB_TICKET_LOGON structure

The LsaLogonUser API returns error code 0xc000009a -STATUS_INSUFFICIENT_RESOURCES
when using the TGT and the TGS. On looking at MIT kerberos ticket and Windows
Kerberos ticket (obtained using Windows APIs) in binary editor it looks like MIT
ticket has an additional header which I had deleted manually.


However when we use
only the TGS for calling lsalogonuser we succeed and we get a successful token
handle. So we have been unable to place the TGT in that logon session so when
using both the TGT and TGS and we get the above error.

Does anyone know whether this (using kerberos ticket generated using MIT on
linux and then using it for calling lsalogonuser)  is possible ?   I have tested the
same steps with windows kerberos on windows OS and it works fine.

1)get the TGT and
the TGS from on a windows machine for a remote windows machine and then copy
the ticket over to the remote machine.2)use those ticket
to call into lsalogonuser and it is successful.  

Any Pointers would
be helpful? regardsAB


More information about the krbdev mailing list