Ticket History #9127: Behavior of API krb5_get

Subject:	Behavior of API krb5_get_credentials vary
To:	"krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
From:	"Dipen Patel" <Dipen.Patel@ibm.com>
CC:	"Samir Sayyed" <ssayyed@us.ibm.com>
Date:	Fri, 7 Jun 2024 06:28:06 +0000

Download (untitled) / with headers
text/plain 1KiB

Download (untitled) / with headers
text/html 5KiB

On Windows 11,If credential guard is on and Kerberos credential cache is stored in MSLSA then behavior of API krb5_get_credentials vary

Scenario1: credential guard value as below

result of powershell command

PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
2
PS C:\Users\DipenPatel>

For this scenario API krb5_get_credentials with kerberos credential cache returns '0' as expected.

Scenario2: credential guard value as below

result of powershell command

PS C:\Users\DipenPatel> (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
1
PS C:\Users\DipenPatel>

For this scenario API krb5_get_credentials with kerberos credential cache returns '1'. with error 'KRB5_CC_NOTFOUND'

NOTE:- Windows document link to Verify if Credential Guard is enabled as below.

"https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg"

Ticket History #9127: Behavior of API krb5_get_credentials vary