SSPI: InitializeSecurityContext: No credentials are available in the security package

[neirbowj]

authGSSClientStep raises a GSSError exception with this message: "SSPI: InitializeSecurityContext: No credentials are available in the security package" despite my having a krbtgt in the credential cache as shown in this lightly anonymized terminal snippet.

(venv36) C:\Users\neirbowj>python
Python 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 02:47:15) [MSC v.1900 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import winkerberos as k
>>> res, ctx = k.authGSSClientInit('service/host.example.com')
>>> k.authGSSClientStep(ctx, '')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
winkerberos.GSSError: SSPI: InitializeSecurityContext: No credentials are available in the security package

>>> exit()

(venv36) C:\Users\neirbowj>klist
Ticket cache: API:Initial default ccache
Default principal: neirbowj@EXAMPLE.COM

Valid starting     Expires            Service principal
07/31/18 12:01:36  07/31/18 22:01:35  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 08/07/18 09:01:35

My environment is Windows 10 Pro 10.0.16299, with Python 3.6.6 (32-bit; also reproducible on 2.7.15), MIT Kerberos for Windows 4.1 (32-bit), and winkerberos 0.7.0.

[behackett]

That klist output looks like it's from MIT krb5. Did you call kinit to get the TGT? If so, WinKerberos uses Microsoft's SSPI, which does not use krb5. If you need to specify credentials for a specific user, you do so using the principal parameter to authGSSClientInit. Call help(winkerberos) in the python interactive shell for full details.

[neirbowj]

I obtained the krbtgt via the MIT Kerberos UI (kinit equivalent?). My goal is to a) not have to specify the client principal, but to allow the library to select the best available, and b) to work with an SPN and CPN neither of which are part of a WIndows AD. Is there a way to do that with WinKerberos, with or without MIT krb5? An SSPI equivalent of kinit?

If it isn't abundantly clear, I am a relative Windows n00b, so I appreciate any hand-holding you are willing to do.

[behackett]

As I said, WinKerberos is built on top of Microsoft's Security Support Provider Interface (SSPI), not MIT krb5. SSPI doesn't support a credentials cache like krb5, and doesn't have any equivalent to krb5's kinit program. To use a different principal than the Windows logon user you have to pass the credentials using the principal argument.

[behackett]

Note that, though WinKerberos is written using SSPI, it fully supports authenticating to a krb5 KDC and authenticating to a service that uses krb5. It also supports almost all of the client side features of PyKerberos. How multiple user credentials are handled is one major structural difference between SSPI and krb5 that I can't hide or workaround.

[neirbowj]

Understood. Thank you for taking the time to elaborate.

[antoniivanov]

Can I connect to 3th party KDC using winkerberos ? Since it's not relying MIT Kerberos I cannot use krb5.conf to specify the location of the KDC. How can I do it?

[behackett]

Yes. I test WinKerberos against a krb5 kdc, not active directory. For my test environment I configure the KDC by editing the registry. You have to add a new entry under HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains\<your domain> with a Multi-String Value called "KdcNames" containing the hostname of the KDC.

There may be some way to do this without directly editing the registry, but I'm not enough of an expert on Windows domain management to know how to do it.