Re: Is fix for 818173 present in win-xp sp2?


Hi Jeffrey,
Thanks for your reply.

I will get back to you after going through each your suggestions
and checking them.

Thanks,
Henin.

Jeffrey Tan[MSFT] wrote:

Hi Henin,

Sorry for letting you wait.

Yes, our another Kerberos developer confirmed that SP2 actually contains the fix for 818173.

If InitalizeSecurityContext() fails with SEC_E_NO_CREDENTIALS it means either there are no credentials associated with the caller's logon session or the Kerberos package is not able to get a new/renewed Kerberos TGT.

If the client application is running under the security context of the logged on user on the XP SP2 machine and is using the credentials associated with the calling thread/process (i.e. if the application is not supplying credentials in AcquireCredentialsHandle), does the InitializeSecurityContext() failure gets resolved if the user locks and unlocks their PC? Unlocking the PC with the correct password will get a new Kerberos Ticket Granting Ticket (TGT) for the current logon session.

Also, please make sure that there are no bogus credentials in Credential Manager for the target specified in InitializeSecurityContext(). This is highly unlikely as the behavior will be consistent if this is the problem. You can check by doing Start/Run and type in "rundll32.exe keymgr.dll, KRShowKeyMgr" on Windows XP or above (Windows Server 2003) to remove the managed passwords manually.

There are few regressions I found in XP SP2 5.1.2600.2698 kerberos.dll version. The fix in Q906681 fixes the problem where InitializeSecurityContext() fails with SEC_E_NO_CREDENTIALS right around when the Kerberos TGT expires.

If you are still having problem with Q906681 hotfix installed (which is highly unlikely as Q906681 fix has been robust in production so far), in order to track down the Kerberos authentication activity during failure, you can enable Kerberos logging as below on Windows XP SP2 machine (where you can consistently reproduce the symptom).

These are the registry settings to enable Kerberos logging on XP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
"KerbDebugLevel"=dword:00000003
"LogToFile"=dword:1

The log file will be located at %WINDIR%\system32\lsass.log.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




.

Relevant Pages

  • RE: kfw-3.2-beta2 is available
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ... Network Identity Manager Kerberos v5 Support ...
    (comp.protocols.kerberos)
  • Re: kfw-3.1-beta-2 is available
    ... the use of NIM to obtain credentials for principals whose password ... Improvements to the Network Identity Manager ... User selected font support ... Kerberos 5 Realm editor has been added ...
    (comp.protocols.kerberos)
  • kfw-3.2-beta1 is available - corrected MSI
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ... Support per-realm settings. ...
    (comp.protocols.kerberos)
  • Re: Is fix for 818173 present in win-xp sp2?
    ... our another Kerberos developer confirmed that SP2 actually contains ... either there are no credentials associated with the caller's logon session ... Microsoft Online Community Support ...
    (microsoft.public.platformsdk.security)
  • Re: Cannot resolve KDC error 11
    ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
    (microsoft.public.windows.server.sbs)