Oracle ODP.NET use of MIT KfW

Scot McKinley scot.mckinley at
Fri Jul 24 18:58:46 EDT 2020

Hi, thanks for the info Greg!

We are in the process of the retesting the Credential Guard issue, and 
will let you know shortly what we see.

Thanks, Scot

On 7/24/2020 2:46 PM, Greg Hudson wrote:
> On 7/24/20 4:41 PM, Scot McKinley wrote:
>> * The announcement pages for the KfW have quoted support for the exact
>> same Windows versions for at least 7 years, probably longer. The below
>> statement has been exactly the same for versions 4.0.1, 4.1 AND the new
>> 4.2beta1. Can we get it updated?
> I've made a note to update it.
>> * The Microsoft Credential Guard blocks acquisition of windows domain
>> based TGTs, thus blocking MSLSA based KfW credential acquisition. Has
>> this been addressed in 4.2beta1 or are there plans to address it (eg, by
>> switching to a SSPI based credential acquisition)?
> When using the MSLSA cache, KfW attempts to acquire credentials via the
> SSPI (LsaCallAuthenticationPackage with
> KERB_RETRIEVE_TICKET_CACHE_TICKET).  For local-realm use, it should not
> be necessary to retrieve the TGT.
> If Credential Guard is blocking even the obtaining of service tickets by
> applications (I'm not clear on whether this is true), then it's
> conceivable that libgssapi_krb5 could use the LSA to obtain GSS tokens,
> bypassing libkrb5 altogether.  At that point it might be simpler to use
> a GSS shim to the Microsoft krb5 implementation, which I believe already
> exists.

More information about the krbdev mailing list