[38254] in Kerberos
MIT Kerberos for Windows failing with Windows 10 update 1803?
daemon@ATHENA.MIT.EDU (Ruurd Beerstra)
Sun Jun 17 15:38:48 2018
To: kerberos@mit.edu
From: Ruurd Beerstra <ruurdb@wxs.nl>
Message-ID: <5af4529f-b553-87a7-9a49-db9090caa1d3@wxs.nl>
Date: Sun, 17 Jun 2018 20:02:47 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm developer of a Windows SSH/Telnet client (called IVT) that supports
both GSSAPI authentication and Kerberized telnet.
I've noticed that the setup I use for regression testing now finds
errors for both protocols: Login fails.
After a lot of digging, I'm suspecting Windows 10 privacy update (1803)
that was pushed to my development workstation a short while ago.
The symptoms are that I can obtain a TGT from my KDC (which ends up in
de LSA of Windows), but every attempt to use that TGT to obtain a
service ticket yields an error:
Matching credential not found.
When I install a copy of the software on a Windows 7 Virtual Box machine
(same network, same KDC, same user/principal, same IVT version, same
Kerberos for Windows version 4.1, etc) it works flawlessly.
I was about to go single stepping through my code to find the problem,
but when I woke the PC to start work on that, I noticed that the MIT
software itself has the same problem!
This popup appeared:
So that is Kerberos for Windows trying to refresh my credentials and
running into the very same error.
Apparently it cannot access the TGT either.
I found this article
https://www.csoonline.com/article/3253899/windows/the-best-new-windows-10-security-features.html
about all sorts of new security features in Windows 10 and that sounds
like Microsoft may have changed something that breaks Kerberos?
When I use a sniffer on my network I can see that there is no
communication between my Telnet client and the KDC when it is supposed
to request a ticket for the host I'm logging in to.
So there is no error logged on the KDC either (I jusyt see an entry when
I login to get my TGT).
Some details about the environment:
- KDC is MIT version krb5-1.16.1
- kfw-4.1-amd64.msi, freshly (re)installed
- Target is a Linux box with a ktelnetd on it, but all that does is
saying "DO AUTH" and then when I try to get a ticket it fails.
- PC is Windows 10 Home edition, version 1803 build 17134.112
Everything worked until about two weeks ago (1803 was installed on 5th
of June).
I can get my TGT:
but that is all I ever see, no tickets for the host I'm trying to login to.
Insights very much appreciated, please reply to ruurdb@wxs.nl.
Regards,
Ruurd Beerstra
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
