[External] : Re: Windows Credential Guard with MSLSA

Seshan Parameswaran seshan.parameswaran at oracle.com
Sun Jun 26 01:28:15 EDT 2022

My issue is specific to Linux.  To your point of use the KfW , I am looking for something similar to be used with Linux wherein I would be able to use the MSLSA cache with AllowTgtSessionKey=false.  That would work with Credential Guard I presume.

From: Benjamin Kaduk <kaduk at mit.edu>
Date: Saturday, June 25, 2022 at 10:07 PM
To: Seshan Parameswaran <seshan.parameswaran at oracle.com>
Cc: Sam Hartman <hartmans at debian.org>, krbdev at mit.edu <krbdev at mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
I have no data about scenarios with credential guard.

Almost a decade ago, when I was working on KfW, I was able to use the MSLSA cache
with AllowTgtSessionKey=false, with the KfW logic essentially being "if the
application asks for a ticket, assume that if the LSA shows anything at
all, we have some credentials, so ask the LSA for the specific (session)
ticket we want".  (IIRC the triggering condition at the time was that
AllowTgtSessionKey stopped having an effect for users that are local
administrators, but I could be misremembering.)

This was of course on native Windows, not using a MSLSA library for linux.


On Fri, Jun 24, 2022 at 06:00:14PM +0000, Seshan Parameswaran wrote:
> If I understood your comments correctly you were asking about how MSLSA used to work without the TGT keys available.  My experience is the other way around.  Even with just the MSLSA configuration without the credential guard,  without the AllowTgtSessionKey setting in the KDC host registry key setting the MSLSA Kerberos configuration would not work.  Please let me know if you have a way around for this as well as the credential guard.  Please keep in mind that this a Linux with MSLSA Library for Linux and not windows
> From: Sam Hartman <hartmans at debian.org>
> Date: Friday, June 24, 2022 at 10:36 AM
> To: Seshan Parameswaran <seshan.parameswaran at oracle.com>, krbdev at mit.edu <krbdev at mit.edu>
> Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
> >>>>> "Seshan" == Seshan Parameswaran <seshan.parameswaran at oracle.com> writes:
>     Seshan> My question is specifically about MSLSA and Credential
>     Seshan> Guard.  If you have a Kerberos Configuration with the
>     Seshan> credential cache specified as MSLSA in the Kerberos
>     Seshan> Configuration and in the KDC host the MSLSA is backed by
>     Seshan> Credential Guard where the actual session keys are stored.
> I understood that, and my comments were in that context.
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://urldefense.com/v3/__https://mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!IK5PJ7GtJ_3yTSSk81TXvnfPJB7h5GBu7qU_G2cldBjtcgA1_MzF8FJjqsrGdLQBHPcykiJeyM1oHpYy2Blc$<https://urldefense.com/v3/__https:/mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!IK5PJ7GtJ_3yTSSk81TXvnfPJB7h5GBu7qU_G2cldBjtcgA1_MzF8FJjqsrGdLQBHPcykiJeyM1oHpYy2Blc$>

More information about the krbdev mailing list