[20369] in Kerberos_V5_Development
ConstrainedDelegation and MSLSA
daemon@ATHENA.MIT.EDU (Scot McKinley)
Mon Jun 6 14:38:42 2022
Message-ID: <b7d868f3-cfd4-41d1-d31d-6802bc2af2d1@oracle.com>
Date: Mon, 6 Jun 2022 11:28:48 -0700
Content-Language: en-US
To: krbdev@mit.edu, ghudson@mit.edu
From: Scot McKinley <scot.mckinley@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi all, we are experiencing a problem in using MIT KerberosForWindow's
(KfW) MSLSA in conjunction with ConstrainedDelegation. We are receiving
the generic error:
krb5_cc_get_principal(clt) failure (-1765328243)
The setup is as such:
* Client HTTP connection to ASP.NET/IIS mid-tier setup w/ constrained
delegation turned on.
* Mid-tier app attempts to acquire MSLSA credentials via MIT KfW, where
it receives the above err.
* Mid-tier app has ASP.NET setup to use credentials not generically
setup for the ASP.NET worker processes. ie,an ID unique to the ASP.NET
app in question, instead of the normal ASP.NET worker process credentials.
Can you help in pointing us to what might be the problem or how we
should go about debugging it? Specifically, is there someone unique to
the constrainedDelegation that we need to do differently from normal
credential acquisition?
Thanks, Scot McKinley
Oracle ODP Development
650-533-7932
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
