Oracle ODP.NET use of MIT KfW

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Oracle ODP.NET use of MIT KfW

Scot McKinley
Hi, at Oracle we have a client DB adapter called ODP.NET Managed and
Core that uses MIT KerberosforWindows (KfW) in order to use Kerberos
based credentials to authenticate to the DB.

I have a couple of questions in reference to this product's use of KfW:

* The announcement pages for the KfW have quoted support for the exact
same Windows versions for at least 7 years, probably longer. The below
statement has been exactly the same for versions 4.0.1, 4.1 AND the new
4.2beta1. Can we get it updated?

"KfW is supported on Windows Vista (SP2 required), Windows 7, Windows 8,
Windows Server 2003, and Windows Server 2008."

* The Microsoft Credential Guard blocks acquisition of windows domain
based TGTs, thus blocking MSLSA based KfW credential acquisition. Has
this been addressed in 4.2beta1 or are there plans to address it (eg, by
switching to a SSPI based credential acquisition)?

Thanks,

Scot McKinley
Consulting Member of Technical
ODP.NET Network and Security






_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Oracle ODP.NET use of MIT KfW

Greg Hudson
On 7/24/20 4:41 PM, Scot McKinley wrote:
> * The announcement pages for the KfW have quoted support for the exact
> same Windows versions for at least 7 years, probably longer. The below
> statement has been exactly the same for versions 4.0.1, 4.1 AND the new
> 4.2beta1. Can we get it updated?

I've made a note to update it.

> * The Microsoft Credential Guard blocks acquisition of windows domain
> based TGTs, thus blocking MSLSA based KfW credential acquisition. Has
> this been addressed in 4.2beta1 or are there plans to address it (eg, by
> switching to a SSPI based credential acquisition)?

When using the MSLSA cache, KfW attempts to acquire credentials via the
SSPI (LsaCallAuthenticationPackage with
KERB_RETRIEVE_TICKET_CACHE_TICKET).  For local-realm use, it should not
be necessary to retrieve the TGT.

If Credential Guard is blocking even the obtaining of service tickets by
applications (I'm not clear on whether this is true), then it's
conceivable that libgssapi_krb5 could use the LSA to obtain GSS tokens,
bypassing libkrb5 altogether.  At that point it might be simpler to use
a GSS shim to the Microsoft krb5 implementation, which I believe already
exists.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Oracle ODP.NET use of MIT KfW

Scot McKinley
Hi, thanks for the info Greg!

We are in the process of the retesting the Credential Guard issue, and
will let you know shortly what we see.

Thanks, Scot

On 7/24/2020 2:46 PM, Greg Hudson wrote:

> On 7/24/20 4:41 PM, Scot McKinley wrote:
>> * The announcement pages for the KfW have quoted support for the exact
>> same Windows versions for at least 7 years, probably longer. The below
>> statement has been exactly the same for versions 4.0.1, 4.1 AND the new
>> 4.2beta1. Can we get it updated?
> I've made a note to update it.
>
>> * The Microsoft Credential Guard blocks acquisition of windows domain
>> based TGTs, thus blocking MSLSA based KfW credential acquisition. Has
>> this been addressed in 4.2beta1 or are there plans to address it (eg, by
>> switching to a SSPI based credential acquisition)?
> When using the MSLSA cache, KfW attempts to acquire credentials via the
> SSPI (LsaCallAuthenticationPackage with
> KERB_RETRIEVE_TICKET_CACHE_TICKET).  For local-realm use, it should not
> be necessary to retrieve the TGT.
>
> If Credential Guard is blocking even the obtaining of service tickets by
> applications (I'm not clear on whether this is true), then it's
> conceivable that libgssapi_krb5 could use the LSA to obtain GSS tokens,
> bypassing libkrb5 altogether.  At that point it might be simpler to use
> a GSS shim to the Microsoft krb5 implementation, which I believe already
> exists.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev