[20446] in Kerberos_V5_Development
Re: [External] : Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Wed Sep 6 18:55:38 2023
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: Simo Sorce <simo@redhat.com>, Sam Hartman <hartmans@debian.org>,
"krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 6 Sep 2023 22:54:26 +0000
Message-ID: <BYAPR10MB3479BEBF0B41FA36C7E579C29DEFA@BYAPR10MB3479.namprd10.prod.outlook.com>
In-Reply-To: <c104c8ba2c141e2ce0153622984352955693fded.camel@redhat.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Ok, constrained delegation using Linux MIT libraries require implementation of GSSAPI per MIT documentation https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/gssapi.html#:~:text=To%20perform%20a%20constrained%20delegation,if%20the%20KDC%20allows%20it.
The code I am looking at is not having a GSSAPI implementation. Is there an alternative to GSSAPI implementation to implement constrained delegation using Linux MIT Libraries?
Seshan
From: Simo Sorce <simo@redhat.com>
Date: Wednesday, September 6, 2023 at 3:09 PM
To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, Sam Hartman <hartmans@debian.org>, krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
Are trying to forward TGTs from Windows clients to a Linux Server?
A) You shouldn't
B) I am not aware of any implementation of Credential Guard that will
allow that.
If you just need to impersonate users for some specific task there is
constrained delegation which is better than forwarding around
credentials critical for security, and allows the KDC (ie central
administration) to properly control and authorize it.
HTH,
Simo.
On Wed, 2023-09-06 at 21:05 +0000, Seshan Parameswaran wrote:
> Hi Sam
> Let me make it clear.
>
> I am using Linux Server / MIT Libraries for server and Windows Client . Microsoft Active Directory as KDC Host.
>
> Scenario – 1
> Credential cache stored with MSLSA – AllowTGTSessionKey<https://urldefense.com/v3/__https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys__;!!ACWV5N9M2RV99hQ!JBcxA94CBs94XWhlh4B2vro8K4213C86hIxCLmHSHr5q3j5-fLZofIVxFCogciWjhb5cN_yC49sqihoYjMw$ > registry setting can be used to allow the Linux Kerberos MIT library to retrieve credential cache from KDC Host for forwardable TGTs.
>
> Scenario-2
>
> Credential cache stored with Windows Credential Guard - Do not know of any solution that allows Linux Kerberos MIT library to retrieve cache from the Windows Credential Guard as it uses signed certificates. Looking for a solution.
>
> Hope that helps.
>
> Seshan
>
> From: Sam Hartman <hartmans@debian.org>
> Date: Wednesday, September 6, 2023 at 1:58 PM
> To: Seshan Parameswaran <seshan.parameswaran@oracle.com>, krbdev@mit.edu <krbdev@mit.edu>
> Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
> > > > > > "Seshan" == Seshan Parameswaran <seshan.parameswaran@oracle.com> writes:
>
> Seshan> I am running on Oracle Enterprise Linux and using MIT
> Seshan> libraries. I am aware of the AllowTgtSessionKey Registry
> Seshan> setting parameter that works when MSLSA is used without the
> Seshan> Credential Guard. My query is specific to MSLSA used with
> Seshan> Windows Credential Guard.
>
> Your question doesn't make sense.
> MSLSA is not a Linux thing:
> MS -> Microsoft
> LSA -> local security authority
>
> The LSA exists on Windows systems.
> If you are not on a Windows system, you don't have one.
>
> It may be that you want to be asking about credential guard and Linux.
> But involvind MSLSA or LSA in the discussion only confuses everyone.
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://urldefense.com/v3/__https://mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!JBcxA94CBs94XWhlh4B2vro8K4213C86hIxCLmHSHr5q3j5-fLZofIVxFCogciWjhb5cN_yC49sqkS-QZBM$<https://urldefense.com/v3/__https:/mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!JBcxA94CBs94XWhlh4B2vro8K4213C86hIxCLmHSHr5q3j5-fLZofIVxFCogciWjhb5cN_yC49sqkS-QZBM$>
>
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
