Oracle ODP.NET use of MIT KfW

Scot McKinley scot.mckinley at
Mon Aug 10 14:49:32 EDT 2020

Hi Greg, sorry for the late reply. Our testing team had trouble getting 
an environment that could test Credential Guard. However, they got an 
environment up and have verified that KfWindows works with Credential 
Guard, as you stated.

Can you please update the website for the compatibility support list?

Thanks, Scot

On 7/24/2020 3:58 PM, Scot McKinley wrote:
> Hi, thanks for the info Greg!
> We are in the process of the retesting the Credential Guard issue, and 
> will let you know shortly what we see.
> Thanks, Scot
> On 7/24/2020 2:46 PM, Greg Hudson wrote:
>> On 7/24/20 4:41 PM, Scot McKinley wrote:
>>> * The announcement pages for the KfW have quoted support for the exact
>>> same Windows versions for at least 7 years, probably longer. The below
>>> statement has been exactly the same for versions 4.0.1, 4.1 AND the new
>>> 4.2beta1. Can we get it updated?
>> I've made a note to update it.
>>> * The Microsoft Credential Guard blocks acquisition of windows domain
>>> based TGTs, thus blocking MSLSA based KfW credential acquisition. Has
>>> this been addressed in 4.2beta1 or are there plans to address it 
>>> (eg, by
>>> switching to a SSPI based credential acquisition)?
>> When using the MSLSA cache, KfW attempts to acquire credentials via the
>> SSPI (LsaCallAuthenticationPackage with
>> KERB_RETRIEVE_TICKET_CACHE_TICKET).  For local-realm use, it should not
>> be necessary to retrieve the TGT.
>> If Credential Guard is blocking even the obtaining of service tickets by
>> applications (I'm not clear on whether this is true), then it's
>> conceivable that libgssapi_krb5 could use the LSA to obtain GSS tokens,
>> bypassing libkrb5 altogether.  At that point it might be simpler to use
>> a GSS shim to the Microsoft krb5 implementation, which I believe already
>> exists.

More information about the krbdev mailing list