[20444] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [External] : Re: Windows Credential Guard with MSLSA

daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Wed Sep 6 17:06:52 2023

From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: Sam Hartman <hartmans@debian.org>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 6 Sep 2023 21:05:26 +0000
Message-ID: <BYAPR10MB3479F89B6F62CCEC96189C6F9DEFA@BYAPR10MB3479.namprd10.prod.outlook.com>
In-Reply-To: <tsly1hjt3wp.fsf@suchdamage.org>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi Sam
Let me make it clear.

I am using Linux Server / MIT Libraries for server and Windows Client .  Microsoft Active Directory as KDC Host.

Scenario – 1
Credential cache stored with MSLSA – AllowTGTSessionKey<https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys> registry setting can be used to allow the Linux Kerberos MIT library  to retrieve credential cache from KDC Host for forwardable TGTs.

Scenario-2

Credential cache stored with Windows Credential Guard -  Do not know of any solution that allows Linux Kerberos MIT library to retrieve cache from the Windows Credential Guard as it uses signed certificates.  Looking for a solution.

Hope that helps.

Seshan

From: Sam Hartman <hartmans@debian.org>
Date: Wednesday, September 6, 2023 at 1:58 PM
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
>>>>> "Seshan" == Seshan Parameswaran <seshan.parameswaran@oracle.com> writes:

    Seshan> I am running on Oracle Enterprise Linux and using MIT
    Seshan> libraries.  I am aware of the AllowTgtSessionKey Registry
    Seshan> setting parameter that works when MSLSA is used without the
    Seshan> Credential Guard.  My query is specific to MSLSA used with
    Seshan> Windows Credential Guard.

Your question doesn't make sense.
MSLSA is not a Linux thing:
MS -> Microsoft
LSA -> local security authority

The LSA exists on Windows systems.
If you are not on a Windows system, you don't have one.

It may be that you want to be asking about credential guard and Linux.
But involvind MSLSA or LSA in the discussion only confuses everyone.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post