How does MIT Kerberos SDK works with MSLSA:

Benjamin Kaduk kaduk at MIT.EDU
Mon Feb 4 18:14:30 EST 2013 

On Tue, 29 Jan 2013, deepak kumar wrote:

> Hi All,
>
> I have been working on  developing  Client and a  Service application for
> Windows as a prototype. These prototypes should do kerberos based mutual
> authentication where client should authenticate using the logged on
> credentials of the logged in windows user.
> I am using Kerberos for Windows 4.
>
> Now if i do klist MSLSA: on command prompt, I get a list of service ticket

That does not seem to be a valid invocation of either Microsoft or MIT's 
klist.exe.

> like
> HOST/........
> LDAP/.......
> cifs/.......
>
> but I don't see any krbtgt (TGT).
> But the client application still works as long as there is any service
> ticket available(visible in klist).
> After a while service tickets expires and klist start returning empty list.
> At this time the client aplication start to fail saying  credential cache
> is empty..
>
> If I keep waiting for some time some other service ticket will
> automatically get generated and application will start working again.
>
> I know by setting  enabletgtseesionkey registry entry to true. will allow
> us to see TGT using klist. but we don't want to change any registry
> settings...

The installer for the KfW 4.0 series sets this registry entry to true.

> I want to know how the client application is working without TGT. and why
> service ticket dissappear after expiry time .Is there any way to get them
> renewed  automatically.

Basically, the MSLSA cache is a Microsoft thing, and it's designed to be 
managed by Microsoft's tools as Microsoft intended.  This is rather 
different from how the MIT krb5 codebase would manage an API, DIR, or FILE 
credentials cache.  The KfW codebase goes through a lot of effort to 
expose an interface to the LSA cache that looks like an MIT ccache, but 
the LSA cache was designed in a different paradigm and things don't match 
up exactly.  In some sense, it is like trying to smash a square peg into a 
round hole.  If I remember correctly, in this situation, if we see a 
service ticket in the cache, we assume that the MS libraries are 
maintaining a TGT or TGT-like thing and thus we can behave to the outside 
world as if we have a TGT.  If there is no service ticket present, it is 
not safe to make that assumption.

Given the philosophical mismatch, if you are developing against the MIT 
krb5 libraries, unless you have a compelling reason to use the MSLSA 
cache, I would recommend that your application use API (or MEMORY!) 
credentials caches.  You say that you want to use the logged on 
credentials of the logged in windows user, which is probably a good enough 
reason to try using the MSLSA cache. Have you considered developing your 
application against the Windows SSPI, though?

-Ben Kaduk

More information about the krbdev mailing list