[20379] in Kerberos_V5_Development
Re: [External] : Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Sun Jun 26 01:29:27 2022
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Sam Hartman <hartmans@debian.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Sun, 26 Jun 2022 05:28:15 +0000
Message-ID: <BYAPR10MB34798E9956B8F9C5C524DE7B9DB69@BYAPR10MB3479.namprd10.prod.outlook.com>
In-Reply-To: <20220626050637.GL26442@kduck.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
My issue is specific to Linux. To your point of use the KfW , I am looking for something similar to be used with Linux wherein I would be able to use the MSLSA cache with AllowTgtSessionKey=false. That would work with Credential Guard I presume.
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Saturday, June 25, 2022 at 10:07 PM
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>
Cc: Sam Hartman <hartmans@debian.org>, krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
I have no data about scenarios with credential guard.
Almost a decade ago, when I was working on KfW, I was able to use the MSLSA cache
with AllowTgtSessionKey=false, with the KfW logic essentially being "if the
application asks for a ticket, assume that if the LSA shows anything at
all, we have some credentials, so ask the LSA for the specific (session)
ticket we want". (IIRC the triggering condition at the time was that
AllowTgtSessionKey stopped having an effect for users that are local
administrators, but I could be misremembering.)
This was of course on native Windows, not using a MSLSA library for linux.
-Ben
On Fri, Jun 24, 2022 at 06:00:14PM +0000, Seshan Parameswaran wrote:
> If I understood your comments correctly you were asking about how MSLSA used to work without the TGT keys available. My experience is the other way around. Even with just the MSLSA configuration without the credential guard, without the AllowTgtSessionKey setting in the KDC host registry key setting the MSLSA Kerberos configuration would not work. Please let me know if you have a way around for this as well as the credential guard. Please keep in mind that this a Linux with MSLSA Library for Linux and not windows
>
> From: Sam Hartman <hartmans@debian.org>
> Date: Friday, June 24, 2022 at 10:36 AM
> To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, krbdev@mit.edu <krbdev@mit.edu>
> Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
> >>>>> "Seshan" == Seshan Parameswaran <seshan.parameswaran@oracle.com> writes:
>
> Seshan> My question is specifically about MSLSA and Credential
> Seshan> Guard. If you have a Kerberos Configuration with the
> Seshan> credential cache specified as MSLSA in the Kerberos
> Seshan> Configuration and in the KDC host the MSLSA is backed by
> Seshan> Credential Guard where the actual session keys are stored.
>
>
> I understood that, and my comments were in that context.
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://urldefense.com/v3/__https://mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!IK5PJ7GtJ_3yTSSk81TXvnfPJB7h5GBu7qU_G2cldBjtcgA1_MzF8FJjqsrGdLQBHPcykiJeyM1oHpYy2Blc$<https://urldefense.com/v3/__https:/mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!IK5PJ7GtJ_3yTSSk81TXvnfPJB7h5GBu7qU_G2cldBjtcgA1_MzF8FJjqsrGdLQBHPcykiJeyM1oHpYy2Blc$>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
