[38256] in Kerberos
Re: MIT Kerberos for Windows failing with Windows 10 update 1803?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Sun Jun 17 21:56:19 2018
Date: Sun, 17 Jun 2018 20:55:56 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20180618015555.GD64971@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <d6d304c8-722e-6919-6cd4-cbe30040c3dc@mit.edu>
Cc: Ruurd Beerstra <ruurdb@wxs.nl>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Jun 17, 2018 at 04:35:50PM -0400, Greg Hudson wrote:
> On 06/17/2018 02:02 PM, Ruurd Beerstra wrote:
> > The symptoms are that I can obtain a TGT from my KDC (which ends up in
> > de LSA of Windows), but every attempt to use that TGT to obtain a
> > service ticket yields an error:
> > Matching credential not found.
>
> Unfortunately, our mailing list server doesn't pass through attachments,
> so while I briefly saw your screenshots before moderating through your
> message, they didn't make it to the list (and I didn't keep a copy.)
>
> I believe the correct short answer is to use the "API:" ccache instead
> of the "MSLSA:" ccache for this setup.
>
> For some time Windows has restricted access to TGT session keys in the
> LSA, which means our libkrb5 code can't use a TGT from the LSA to get
> service tickets. Instead, our MSLSA ccache type requests service
> tickets via Windows, but that only works if the realm is set up in the
> LSA configuration. Since you are using an MIT krb5 KDC, I am guessing
> that it is not set up in the LSA configuration, so we fall back to
> trying to get service tickets using the TGT.
Does this mean that you think setting the appropriate entries under
SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains would resolve
the issue?
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
