kerberosimpersonationdelegationkerberos-delegationmit-kerberos

Kerberos double-hop issue


So, for the past week I was trying to do something with this kerberos issue.

Long story short, we have a server and it identifies incoming user do to some work. Recently, we needed to upload some of the results, so user is now delegated so it can authorize in another server. And the problem is that, that on the next day, after the logon, server can't delegate the same user. It fails with krb5_cc_notfound error while forming AP_REQ message.

If I try to iterate over the cache it fails at krb5_cc_start_seq_get with the same error.

If I try to get some other ticket (on day after successful logon) it fail at krb5_get_credentials, and on futher attempts (I guess cache becomes invalid? If it even was valid at this point) it could not resolve the default principal.

Cache type is MSLSA.

Every time after all the fails, in the event log I can see a kerberos warrning followed by an error. First says something like 'TGT was expired, an attempt to renew was made and failed' and the other one is KRB_AP_ERR_TKT_EXPIRED.

We have so few experience with kerberos in our room, so if you could share some of it - it would be cool.


Solution

  • It was a bug in a third party library. It basically stored the windows logon handle for eternity.