[External] : Re: Windows Credential Guard with MSLSA

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Sep 7 13:25:04 EDT 2023

>A sample implementation of S4U operations using raw Kerberos 5 API can
>be found in kvno utility source code.

I did see that!  But it is a little unclear to me how exactly that
works in an application server.

Hm, it is entirely possible I am overthinking it a bit; it seems
like the "normal" case is you just use the regular service ticket as
the evidence ticket.  So I guess that would look like:

- The client is unchanged (well, they don't foward a TGT)
- The application server gets a TGT for itself using it's own service key
  (tons of ways doing that) and places that in a credential cache.
- The application server takes the decrypted ticket from krb5_rd_req()
  (or the equivalent) and calls krb5_get_credentials_for_proxy() to
  perform the S4U2Proxy request.  Sadly, krb5_get_credentials_for_proxy()
  is not in the public krb5.h header file.  Sigh.


More information about the krbdev mailing list