ConstrainedDelegation and MSLSA
scot.mckinley at oracle.com
Mon Jun 6 14:28:48 EDT 2022
Hi all, we are experiencing a problem in using MIT KerberosForWindow's
(KfW) MSLSA in conjunction with ConstrainedDelegation. We are receiving
the generic error:
krb5_cc_get_principal(clt) failure (-1765328243)
The setup is as such:
* Client HTTP connection to ASP.NET/IIS mid-tier setup w/ constrained
delegation turned on.
* Mid-tier app attempts to acquire MSLSA credentials via MIT KfW, where
it receives the above err.
* Mid-tier app has ASP.NET setup to use credentials not generically
setup for the ASP.NET worker processes. ie,an ID unique to the ASP.NET
app in question, instead of the normal ASP.NET worker process credentials.
Can you help in pointing us to what might be the problem or how we
should go about debugging it? Specifically, is there someone unique to
the constrainedDelegation that we need to do differently from normal
Thanks, Scot McKinley
Oracle ODP Development
More information about the krbdev