Can I automatically cache AD tickets into a file on windows?

[Mauro Cazzari]

Kerberos experts,
Is there a way to automatically cache AD-generated tickets to the file provided through the KRB5CCNAME environment variable on Windows without having to run a kinit? My understanding is that Windows caches tickets in memory (whereas Unix does the same on file). Do I need to install MIT Kerberos, or (ideally) can I just use the copy of Kerberos that comes with Windows to achieve my goal?
Thanks!
Mauro.

[Todd Grayson]

>From what I understand, the windows SSPI implementation does not provide a
facility to hold the credentials in a file. You would use the MIT KFW to
be able to do that.

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu <javascript:;>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

[Todd Grayson]

You might be able to do some sort of powershell script? I don't think the
KFW has a startup context to it. The thin is you would need to pass
credentials in somehow which starts to weaken the integrity of the security
model once you start caching passwords/keytabs. We should know, Hadoop is
the poster child of poor credential handling (and a ton of work is going
into cleaning that all up).

On Friday, November 18, 2016, Mauro Cazzari <Mauro....@sas.com> wrote:

> One more thing: if MIT Kerberos is installed, is there a way to populate
> the KRB5CCNAME cache file automatically when I log on to Windows without
> having to use a keytab or having to run a kinit under the covers?
>
>
>
> *From:* Todd Grayson [mailto:tgra...@cloudera.com
> <javascript:_e(%7B%7D,'cvml','tgra...@cloudera.com');>]
> *Sent:* Friday, November 18, 2016 11:34 AM
> *To:* Mauro Cazzari <Mauro....@sas.com
> <javascript:_e(%7B%7D,'cvml','Mauro....@sas.com');>>
> *Cc:* Kerb...@mit.edu <javascript:_e(%7B%7D,'cvml','Kerb...@mit.edu');>
> *Subject:* Re: Can I automatically cache AD tickets into a file on
> windows?

>
>
>
> From what I understand, the windows SSPI implementation does not provide a
> facility to hold the credentials in a file. You would use the MIT KFW to
> be able to do that.
>
> On Friday, November 18, 2016, Mauro Cazzari <Mauro....@sas.com

> <javascript:_e(%7B%7D,'cvml','Mauro....@sas.com');>> wrote:
>
> Kerberos experts,
> Is there a way to automatically cache AD-generated tickets to the file
> provided through the KRB5CCNAME environment variable on Windows without
> having to run a kinit? My understanding is that Windows caches tickets in
> memory (whereas Unix does the same on file). Do I need to install MIT
> Kerberos, or (ideally) can I just use the copy of Kerberos that comes with
> Windows to achieve my goal?
> Thanks!
> Mauro.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu

[Benjamin Kaduk]

On Fri, Nov 18, 2016 at 04:51:03PM +0000, Mauro Cazzari wrote:
> One more thing: if MIT Kerberos is installed, is there a way to populate the KRB5CCNAME cache file automatically when I log on to Windows without having to use a keytab or having to run a kinit under the covers?

MIT KfW does include a utility "ms2mit.exe" that attempts to export kerberos
credentials from the Windows LSA to a KfW credentials cache (which by default
will be an API: cache but can be configured to be a FILE: cache). However,
those attempts will fail in some situations, such as when the user is a
local administrator, on recent versions of Windows. Some sites have run
ms2mit during the login process to get that sort of behavior; however, in
the KfW 4.1 series, the LSA: support is improved and it may be feasible
to just use the LSA: cache directly.

-Ben

[Mauro Cazzari]

Perfect! I'll give it a shot to see if it works in my case.
Thanks!