ConstrainedDelegation and MSLSA

Scot McKinley scot.mckinley at
Mon Jun 6 14:28:48 EDT 2022

Hi all, we are experiencing a problem in using MIT KerberosForWindow's 
(KfW) MSLSA in conjunction with ConstrainedDelegation.  We are receiving 
the generic error:

krb5_cc_get_principal(clt) failure (-1765328243)

The setup is as such:

* Client HTTP connection to ASP.NET/IIS mid-tier setup w/ constrained 
delegation turned on.

* Mid-tier app attempts to acquire MSLSA credentials via MIT KfW, where 
it receives the above err.

* Mid-tier app has ASP.NET setup to use credentials not generically 
setup for the ASP.NET worker processes. ie,an ID unique to the ASP.NET 
app in question, instead of the normal ASP.NET worker process credentials.

Can you help in pointing us to what might be the problem or how we 
should go about debugging it? Specifically, is there someone unique to 
the constrainedDelegation that we need to do differently from normal 
credential acquisition?

Thanks, Scot McKinley
Oracle ODP Development

More information about the krbdev mailing list