[20440] in Kerberos_V5_Development
Re: [External] : Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Wed Sep 6 03:48:08 2023
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: Sam Hartman <hartmans@debian.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 6 Sep 2023 07:46:44 +0000
Message-ID: <BYAPR10MB347979C66F6BB72377D641429DEFA@BYAPR10MB3479.namprd10.prod.outlook.com>
In-Reply-To: <BYAPR10MB3479E8D157F4A9100FA7FA7A9DB49@BYAPR10MB3479.namprd10.prod.outlook.com>
Content-Language: en-US
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: =?us-ascii?Q?OzuU/1sbyWe+npGq3mNw6c4yLIVe5kkCRNAM166ufg2HSiNs0z6RIU9npj4K?=
=?us-ascii?Q?f3ne6ZXO8dHoiX8p/IhouGmMJiIFzE9wQ/t1/uBJr73VQFXWPOPEB2vnDGtk?=
=?us-ascii?Q?0eIf+/a09TqheiZt4MjZSJ1a5CKN/Wrtk+saB1usbjfPLsjCWbzYiIGJC9Zf?=
=?us-ascii?Q?46mtPFD6blQ33fTYIFnfooGLHUb63BoF5zXiHDq6oVk/wA9qyIpz+hfsiuPR?=
=?us-ascii?Q?UA8IF6gX1v87YZo9RyLnoIINkRWZSNu+G1Z6467BWBlU3d9zNtrruOsTZQwl?=
=?us-ascii?Q?1PtveX4QqLQ+SECmaVCbcamvP5kQ30t2pOpE4wnhlSYyI+XU4SrspQ5zyuDe?=
=?us-ascii?Q?608hL77oxf0h/Wh0s1Yukfa+jFQ0/pWpF3DeFNnJ7vKu9A5Q6QLXn0Zw0Xaf?=
=?us-ascii?Q?Cth7qO2Dj/PSyTCx5UooLhHk1uQEhQ5MNLYJkMvcak1eJI5YpOjAu1vX1B27?=
=?us-ascii?Q?lm5x/1wYVqdcSgWBKyNeTzeNxbjTuXAqgQmnhsGByIp5VD66IP8vnHEgtrPP?=
=?us-ascii?Q?w0LNtME1iknBVdWJg7+zRm/wNL/I0nAkPyWkbjHDsrxPnjZHGrocOxo1SPP3?=
=?us-ascii?Q?/gLBdPUn/BhggerM/Vg5uZHcrfl09f1kfMJRTuVaQv+832RPZgpVCZKHhVqX?=
=?us-ascii?Q?CUb0pVKL4566rM5fGMWFpoRa1a9ZeDapjI9pooL4e5+Q1a0P3jncWy9I9Q/q?=
=?us-ascii?Q?F9DvQSEmPrGJ7U+kpYqUjRWx1N0sOQpSY55uh1jAo+mfL92k4k0/O8I91LC2?=
=?us-ascii?Q?/Vw6FUkdj1v+Smkg1Te/keRHVB8QrkonsgHroFrJjv1iRK9TZcezcDJ0JuxJ?=
=?us-ascii?Q?pDmhR6etMUo3uVpifVq9jBCw0ZmRPV2wEx4PEIYKDQYPIHl0ItjF0CCg69Am?=
=?us-ascii?Q?6aXfmSu+OJLTbIHe8mqQ7BSsajErsiTD/pps5Yug6CXJlKY39iF/PucHQgG6?=
=?us-ascii?Q?F2MFIGo5BB+0N3XNB7vvAaowC8yXW73q+ebGEQVJ9s9F+mrE1NR9OYgxgXv2?=
=?us-ascii?Q?cZhPJEtHHMxPxYfvPr6/JB5POdrmIY/P7suXYkPc1iqerYtcMoFyXbrAkg5I?=
=?us-ascii?Q?KA0Ni1+ne55AhDVx3WnBN7LLwapwatgzM7UJDpsHH+Co9Ir4PeW9kU3jy6cE?=
=?us-ascii?Q?ihdIRwvT+hrBlvWOiOFQWRhQeI9lC1U0EHhJB0FunKJVEiFGVO5nX7fUUP8Y?=
=?us-ascii?Q?0llgpt/O2RBPx5poLe0rwMqBJvG7JSNauKv/q+IuRANXubK7biA13kvaXB1Z?=
=?us-ascii?Q?Dva2vuhajqtWFE9RvoDhcYqDJByKT7RYpQkEbt/mW3+brjT2RghTTeYdxtRp?=
=?us-ascii?Q?Fm7IFEJdtBl82ECKn8DlxOpDhGAsr5/t0vTjRfOq8VIGEhxblF8uYmsuc1HN?=
=?us-ascii?Q?IQaaYnZTPB+88Sn5AEKPVeYn+bdbghtUCLSTfbkTTVsDh4d4d38vvjkwvYvp?=
=?us-ascii?Q?UgQ5MYxEPmwCOybndfrFqutP3nHWjrmC3ofV6YYG98dzlZv+ZIjpHJwEwjR2?=
=?us-ascii?Q?YIG9WFmolE5zYHPF5jrPgpI9n24UigCqEvMa/RWei4pUU1D+iLG71rshUMNr?=
=?us-ascii?Q?I1XPdHexry/aN4/av9N4i/X8prCvI6iPNebQm9qX34nGRIm0gUjBD4imtyKH?=
=?us-ascii?Q?ddn3mRXhtG6vibcekLvshwg=3D?=
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR10MB7908
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.601,FMLib:17.11.176.26
definitions=2023-09-06_01,2023-09-05_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
mlxscore=0 suspectscore=0
bulkscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 adultscore=0
classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2308100000
definitions=main-2309060064
X-Proofpoint-ORIG-GUID: mEWt8OFwXhWFDYcWbzvax99V3EdsR10f
X-Proofpoint-GUID: mEWt8OFwXhWFDYcWbzvax99V3EdsR10f
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SA2PEPF000015C8.namprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: ee4b5bca-b035-4cb7-1841-08dbaead6af5
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: kzNixHhLGUyOGnujRy5tjD4DLCXm72M8AOln1dNbW5jNIQT74AKhdmB/a7wLmzOEQz3dAH8cahJ7J7uW/gABtYiYqp/3zp+JbJIM0qMQqbsAKfwmYCapPhDTh28AYJf0NMe17PUM3y4woqULXvZro9yQmOJIya+aLsBUBbkiIKt6MaRNwE2ltpP1pUJjD8x4th/JROCjCAzEpiyEHwkKFx2XjuRCUE/jpe5CYJi2LgHc4B/ffHce16PdJg8tr6zKgHH4b90SPB5hKKRQvRFbUVlhgtUpeYJBe7ei5OE8YtoLs8MKjwlDRjyNrMvqT+GF1u+3rnvGgYtYHFp5B0FtshBBJ/RUM1d+kPSBBGe3bkta+vEpORiB8S6bC9FLEq83VrmXycE42y5nrR6ch5SX9Q+rxu13Zlec5H6S+8GpRcXJQLGPtWOfhssfLE6TKY99+/5HWcj/Mps8zJKG8oa3tUroQJIXGRvX5PYx8JM6gEIptAQrmUOBNKnQxEzqUpK0BR86N9ehEdLwsKkVG8K4FaZwzY3Zso4sMlie3V6I9NbFcT5zIu9zJ6J1wkWwRg4BgVSc1jkqpWKPO8a1TtMSt36zQ/2/fetuh6XEaVrNt/ZYzOzq76u7o2oFatj8OFyePl+M991/RetZd9BVMRuYCHgNzqOdyYib8EoqoRvgHMUCZ5OHTA48dohGDmnx6kwKt/twCilj3aE6qc3ACYemwg==
X-Forefront-Antispam-Report: CIP:205.220.177.32; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mx0b-00069f02.pphosted.com;
PTR:mx0b-00069f02.pphosted.com; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(346002)(376002)(396003)(136003)(451199024)(48200799006)(61400799006)(7596003)(26005)(55016003)(7636003)(68406010)(70586007)(83290400002)(110136005)(786003)(498600001)(316002)(2906002)(86362001)(44832011)(5660300002)(8676002)(52536014)(6506007)(83300400002)(83310400002)(83320400002)(83380400001)(83280400002)(9686003)(53546011)(7696005)(336012)(33656002)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Sep 2023 07:47:02.7482 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: cf276d77-914f-434c-8161-08dbaead759d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SA2PEPF000015C8.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR01MB6515
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: krbdev@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/krbdev>,
<mailto:krbdev-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev/>
List-Post: <mailto:krbdev@mit.edu>
List-Help: <mailto:krbdev-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Sender: "krbdev" <krbdev-bounces@mit.edu>
Hi Sam
I am trying to revisit the question I asked a year ago. Could you please specify if the comments you mentioned below are specific to Windows Native or is applicable to both Windows as well as Linux?
Thanks
Seshan
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
Date: Friday, June 24, 2022 at 9:26 AM
To: Sam Hartman <hartmans@debian.org>, krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
My question is specifically about MSLSA and Credential Guard. If you have a Kerberos Configuration with the credential cache specified as MSLSA in the Kerberos Configuration and in the KDC host the MSLSA is backed by Credential Guard where the actual session keys are stored. That is the specific configuration I am mentioning about.
From: Sam Hartman <hartmans@debian.org>
Date: Friday, June 24, 2022 at 7:55 AM
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, krbdev@mit.edu <krbdev@mit.edu>
Subject: [External] : Re: Windows Credential Guard with MSLSA
It used to be the case that the MSLSA cache would work reasonably well
without TGT keys available.
Namely, if you retrieved a ticket the cache would ask the LSA to get the
ticket for you,.
Does this no longer work?
If this does work, does it meet your needs?
If not, what functionality are you missing?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
