ConstrainedDelegation and MSLSA

Scot McKinley scot.mckinley at
Tue Jun 7 16:39:37 EDT 2022

Hi all, in order to give further information about the scenario, it is 
key to note that the MIT Kerberos portion of the runtime is NOT really 
part of the constrained delegation. ie, IIS/ASP.NET does the constrained 
delegation and thus points the current LSA user to the impersonated ID 
from the front-end user. After which, MIT Kerberos is simply doing a 
normal MSLSA client auth in order to USE the impersonated ID for the 
client ticket.

My question is, because of the failure we are seeing, do we need to do 
something different from a normal MSLSA client auth?

Thanks, Scot

On 6/6/2022 11:28 AM, Scot McKinley wrote:
> Hi all, we are experiencing a problem in using MIT KerberosForWindow's 
> (KfW) MSLSA in conjunction with ConstrainedDelegation.  We are 
> receiving the generic error:
> krb5_cc_get_principal(clt) failure (-1765328243)
> The setup is as such:
> * Client HTTP connection to ASP.NET/IIS mid-tier setup w/ constrained 
> delegation turned on.
> * Mid-tier app attempts to acquire MSLSA credentials via MIT KfW, 
> where it receives the above err.
> * Mid-tier app has ASP.NET setup to use credentials not generically 
> setup for the ASP.NET worker processes. ie,an ID unique to the ASP.NET 
> app in question, instead of the normal ASP.NET worker process 
> credentials.
> Can you help in pointing us to what might be the problem or how we 
> should go about debugging it? Specifically, is there someone unique to 
> the constrainedDelegation that we need to do differently from normal 
> credential acquisition?
> Thanks, Scot McKinley
> Oracle ODP Development
> 650-533-7932

More information about the krbdev mailing list