[16942] in Kerberos-V5-bugs
[krbdev.mit.edu #9127] Behavior of API krb5_get_credentials vary
daemon@ATHENA.MIT.EDU (Dipen Patel via RT)
Fri Jun 7 12:38:10 2024
From: "Dipen Patel via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <SA1PR15MB4515B9EC0704DB40E2D60EE2E7FB2@SA1PR15MB4515.namprd15.prod.outlook.com>
Message-ID: <rt-4.4.3-2-1342025-1717778284-521.9127-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9127":;
Date: Fri, 07 Jun 2024 12:38:04 -0400
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Fri Jun 07 12:38:04 2024: Request 9127 was acted upon.
Transaction: Ticket created by Dipen.Patel@ibm.com
Queue: krb5
Subject: Behavior of API krb5_get_credentials vary
Owner: Nobody
Requestors: Dipen.Patel@ibm.com
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9127 >
On Windows 11,If credential guard is on and Kerberos credential cache is stored in MSLSA then behavior of API krb5_get_credentials vary
Scenario1: credential guard value as below
result of powershell command
PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
2
PS C:\Users\DipenPatel>
For this scenario API krb5_get_credentials with kerberos credential cache returns '0' as expected.
Scenario2: credential guard value as below
result of powershell command
PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
PS C:\Users\DipenPatel>
For this scenario API krb5_get_credentials with kerberos credential cache returns '1'. with error 'KRB5_CC_NOTFOUND'
NOTE:- Windows document link to Verify if Credential Guard is enabled as below.
"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg"
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
