ConstrainedDelegation and MSLSA
scot.mckinley at oracle.com
Tue Jun 7 16:39:37 EDT 2022
Hi all, in order to give further information about the scenario, it is
key to note that the MIT Kerberos portion of the runtime is NOT really
part of the constrained delegation. ie, IIS/ASP.NET does the constrained
delegation and thus points the current LSA user to the impersonated ID
from the front-end user. After which, MIT Kerberos is simply doing a
normal MSLSA client auth in order to USE the impersonated ID for the
My question is, because of the failure we are seeing, do we need to do
something different from a normal MSLSA client auth?
On 6/6/2022 11:28 AM, Scot McKinley wrote:
> Hi all, we are experiencing a problem in using MIT KerberosForWindow's
> (KfW) MSLSA in conjunction with ConstrainedDelegation. We are
> receiving the generic error:
> krb5_cc_get_principal(clt) failure (-1765328243)
> The setup is as such:
> * Client HTTP connection to ASP.NET/IIS mid-tier setup w/ constrained
> delegation turned on.
> * Mid-tier app attempts to acquire MSLSA credentials via MIT KfW,
> where it receives the above err.
> * Mid-tier app has ASP.NET setup to use credentials not generically
> setup for the ASP.NET worker processes. ie,an ID unique to the ASP.NET
> app in question, instead of the normal ASP.NET worker process
> Can you help in pointing us to what might be the problem or how we
> should go about debugging it? Specifically, is there someone unique to
> the constrainedDelegation that we need to do differently from normal
> credential acquisition?
> Thanks, Scot McKinley
> Oracle ODP Development
More information about the krbdev