Please direct me to the resources that can answer the following:
* We have an open case with MS Premier Support and Kerberos for Windows
4.0.1 states "Integration with the Windows LSA credentials cache"
* We are using .NET webclient and can't seem to get the client to use the
tickets in the cache. Tickets are stored in the location specified by
environment variable
* See support case below
From: Frank Kim [mailto:frank@microsoft.com]
Sent: Thursday, October 15, 2015 1:59 AM
To: Binder, Dale
Cc: MSSolve Case Email; Shmain, Jeffrey
Subject: RE: Kerberos issues -> RE: [REG:115100513230017] Clarify the account
infrastructure.
Hi Dale,
In regards to the code below, the .NET code will not know anything about the
location of the MIT tickets at:
C:\Users\nbkvw7l\KerberosCacheFile\krb5cache
Kerberos tickets in Windows are stored in LSASS.exe. Internally, .NET uses
the SSPI APIs to implement Kerberos. You pass the user's credentials to SSPI
by calling AcquireCredentialsHandle(). AcquireCredentialsHandle() obtains this
in LSASS.exe as well. Internally, SSPI is implemented using the LSA APIs which
are used to interface with LSASS.exe.
The reason I have suggested using the MIT GSS APIs is because they would be
aware of the krb5cache. I am going to assume that Java uses the MIT GSS APIs
which is why things work for you.
I've read some of the docs on MIT Kerberos which indicate they store their
credentials in LSA's cache for 4.0.0. Here is the link I referenced.
http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html
They mention the following, "Integration with the Windows LSA credentials
cache."
They don't elaborate on what this means so you would need somebody familiar
with this project to address the true meaning of this. If the following call:
GetTGT()
If this associated the MIT ticket with the current user.
The only option I could see is the following:
credentialCache.Add(new Uri("http://lpnoe0vupotd1i.bankofamerica.com:20550/;),
"Kerberos", CredentialCache.DefaultNetworkCredentials);
I'm not sure if you have tried this.
The other code below will not work just for the fact that .NET doesn't know
anything about MIT Kerberos and it's tickets. It only know about Kerberos
Tickets created by Windows and stored in LSASS. This is why you have to use
the specific GSS APIs provided by MIT.
Finally about 20 years ago, Microsoft did create a GSS API whose interface was
compatible with GSS APIs from MIT. What this meant was that you could take an
application written on Linux and rebuild it on Windows to run in the POSIX
subsystem. This is what they meant by GSS API compatibility. The interface
was compatible so a Linux developer did not have to rewrite their code to use
SSPI. (Internally, the GSS API offered by Microsoft was just a wrapper around
SSPI).
Thanks
Frank Kim (frank@microsoft.com)
Sr. Escalation Engineer
Developer Tools - Windows SDK
+1 (425) 538 0692
Typical Hours - 8:30 - 17:30
(UTC-08:00) Pacific Standard Time (US & Canada)
Meeting and exceeding your expectations are my top priorities. We are
interested in any feedback you might have about the service you received on
this incident. Please let my manager, John Hornick, know what you think of the
level of service provided; email
john.horn...@microsoft.com, or even call
425-538-0721
Dale Binder
Develop and Manage
Cyber Security Technology
Global Information Security
Bank of America
40 N Main Street
Dayton, OH 45423
937.938.1138 (work)
937.438.3507 (cell)
[cid:image001.jpg@01CC42B3.9D534100]
--
This message, and any attachments, is for the intended recipient(s) only, may
contain information that is privileged, confidential and/or proprietary and
subject to important terms and conditions available at
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
recipient, please delete this message.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
