Windows Credential Guard with MSLSA

Seshan Parameswaran seshan.parameswaran at
Mon Jun 27 14:09:03 EDT 2022

No I do not have the code that works with MS LSA APIs.  The compatibility of MS LSA APIs with Linux is what I am trying to figure out.  Is there any documentation of MS LSA APIs that someone can point me to?

From: Srinivas Cheruku <srinivas.cheruku at>
Date: Monday, June 27, 2022 at 12:40 AM
To: Seshan Parameswaran <seshan.parameswaran at>, krbdev at <krbdev at>
Subject: [External] : Re: Windows Credential Guard with MSLSA
As said before there is no need to set AllowTgtSessionKey for retrieving tickets when using MS LSA APIs.

If you remove the Credential Guard from the context, do you have the code that works on Linux using MS LSA APIs? If this is the case, even when using Credential Guard on Linux, the same code should work fine as I found it to be working (able to get tgt and service tickets) on Windows when Credential Guard is used.


From: Seshan Parameswaran <seshan.parameswaran at>
Date: Monday, 27 June 2022 at 12:10
To: Srinivas Cheruku <srinivas.cheruku at>, Sam Hartman <hartmans at>, krbdev at <krbdev at>
Subject: Re: Windows Credential Guard with MSLSA
I am not looking to get the TGT Session Key but rather achieve the same functionality that AllowTGTSessionKey would with credential cache stored in MSLSA, that is obtain TGT and Service Tickets, in a Linux environment, with MSLSA fronting Credential Guard that the LSA APIs would be interacting with to retrieve the TGT and service tickets.  The scenario in a gist is as follows in Linux environment

  1.  When the credential cache is stored in MSLSA, we can set the LSA Kerberos parameter AllowTgtSessionKey and use MIT library to retrieve the TGT.
  2.  With Windows Credential Guard,  it is not possible to enable sharing the TGT session keys with applications using the AllowTgtSessionKey as it is maintained and managed by Windows Credential Guard.  However with Windows MIT Library it seems to be possible to invoke innate API calls as you have mentioned to obtain the TGT.  When it comes to Linux, I am not aware of any such API or patch for that matter, that when used would work seamlessly with Windows Credential Guard.  I am looking for this specific information.
From: Srinivas Cheruku <srinivas.cheruku at>
Date: Sunday, June 26, 2022 at 10:32 PM
To: Sam Hartman <hartmans at>, Seshan Parameswaran <seshan.parameswaran at>, krbdev at <krbdev at>
Subject: [External] : Re: Windows Credential Guard with MSLSA
Yes, when using MS LSA APIs (CyberSafe implementation) and retrieving tickets we don’t need to set AllowTgtSessionKey registry as MS LSA APIs are able to get the tgt and service tickets for you and the code don’t need to know the session keys.

We even tested with Credential Guard (some months back) running and MS LSA APIs were able to get tickets without any issues on Windows.

Can I know why you want get the TGT session key when using MS LSA APIs?

I haven’t use MS LSA library for Linux and so I am not very sure on this.


From: krbdev <krbdev-bounces at> on behalf of Sam Hartman <hartmans at>
Date: Friday, 24 June 2022 at 20:28
To: Seshan Parameswaran <seshan.parameswaran at>, krbdev at <krbdev at>
Subject: Re: Windows Credential Guard with MSLSA

It used to be the case that the MSLSA cache would work reasonably well
without TGT keys available.
Namely, if you retrieved a ticket the cache would ask the LSA to get the
ticket for you,.
Does this no longer work?
If this does work, does it meet your needs?
If not, what functionality are you missing?
krbdev mailing list             krbdev at<;!!ACWV5N9M2RV99hQ!Mv_LlWSkcRZbZjk7uTFHDMDJ5VvIkznmELt6VdKEqToGhCQmSgAGWG1xvzgQHGHhsU73BkCE-oKDRsQOHEYbN_WVQ0s5o9rdow$>

More information about the krbdev mailing list