[20373] in Kerberos_V5_Development
Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Thu Jun 23 19:42:52 2022
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Thu, 23 Jun 2022 23:40:59 +0000
Message-ID: <BYAPR10MB3479CCA660F2981FA559A2489DB59@BYAPR10MB3479.namprd10.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hello
I am trying to use Windows Credential Guard with MSLSA.
Without the Windows Credential Guard, the Kerberos Authentication works fine by setting the AllowTgtSessionKey. This link https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys says that with active Credential Guard in Windows 10 you cannot enable sharing the TGT session keys with applications anymore.
I am trying to understand if there is a workaround to share TGT Session Keys with applications when Windows Credential Guard is used with MSLSA.
I read through several links found online and per my understanding there the TGT Session Keys are encrypted and stored within Credential Guard and Credential Guard manages the storage and retrieval of the TGT Session Keys. I am looking for some kind of API call and its related documentation if you have that could be invoked from the MIT library for Linux to be able to retrieve the TGT Session Keys when they are stored with Windows Credential Guard.
Please let me know
Seshan
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
