On Tue, Oct 16, 2018 at 09:40:42AM +0200, Pierre Dehaen wrote: > Hello list, > > Configuration: > - Windows are clients of an AD > - Kfw 4.1 is used to acquire tickets from another realm > - Clients use tickets through Firefox to access apache applications > - All working well > > In the Kfw GUI, next to the TGT of the additional realm, we see the TGT of > the AD. The > former shows API: as credential cache, while the later shows MSLSA:, all good. > > According to > <https://mailman.mit.edu/pipermail/kerberos/2015-April/020637.html>: Once > you have a ticket, the "make default" button will set the registry entry for > you. > > That is the problem: once a user has clicked "Make default" while the AD > ticket was by > chance selected, only one TGT can be acquired at a time, each Get Ticket > overwrites all > existing tickets. > > Okay, I can fix this in the registry... but users can't, that's too > difficult/risky, and I don't find a > way to revert to the default credential cache from the GUI. Even the "Make > default" trick does > not work anymore as all tickets are MSLSA tickets. > > Any advice?
Sadly, this is a "patches welcome" moment -- the issue has been known for several years but has not been a development priority. The best workaround would be to clear the registry entry (and presumably you could prepare a script/standalone tool to clear this specific registry key, that would be safe for exposure to end users). -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
