[20380] in Kerberos_V5_Development
Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Srinivas Cheruku)
Mon Jun 27 01:33:34 2022
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: Sam Hartman <hartmans@debian.org>,
Seshan Parameswaran
<seshan.parameswaran@oracle.com>,
"krbdev@mit.edu" <krbdev@mit.edu>
Date: Mon, 27 Jun 2022 05:32:31 +0000
Message-ID: <MAZPR01MB7200A40D9B8AF7F78D31BB2EF6B99@MAZPR01MB7200.INDPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <0100018196358cab-fe0f74a3-7e55-4981-9ddc-a690081e82d0-000000@email.amazonses.com>
Content-Language: en-IN
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Yes, when using MS LSA APIs (CyberSafe implementation) and retrieving tickets we don’t need to set AllowTgtSessionKey registry as MS LSA APIs are able to get the tgt and service tickets for you and the code don’t need to know the session keys.
We even tested with Credential Guard (some months back) running and MS LSA APIs were able to get tickets without any issues on Windows.
Can I know why you want get the TGT session key when using MS LSA APIs?
I haven’t use MS LSA library for Linux and so I am not very sure on this.
Thanks,
Srini
From: krbdev <krbdev-bounces@mit.edu> on behalf of Sam Hartman <hartmans@debian.org>
Date: Friday, 24 June 2022 at 20:28
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: Windows Credential Guard with MSLSA
It used to be the case that the MSLSA cache would work reasonably well
without TGT keys available.
Namely, if you retrieved a ticket the cache would ask the LSA to get the
ticket for you,.
Does this no longer work?
If this does work, does it meet your needs?
If not, what functionality are you missing?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
