API to set kerberos TGT + Authenticator in local ticket store for Windows OS
I'm looking for an WINAPI to add a new kerberos item to windows internal ticket store so they can be used in authenticating against web applications (the tickets are forwarded to the service server on top of http request).
I'd like to offload the whole authentication process to a proprietary component and not rely on the OS kerberos implementation, and get the following items:
- Client-to-server ticket encrypted using the resource's secret key.
- A new Authenticator encrypted using Client/Server Session Key
I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself.
Also, the resource return another items for additional requests from the client which is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key
Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.
Here's an image to illustrate my case :
Thanks for the help !
It seems that no, there isn't. (And in modern Windows versions, such an API would also be incompatible with Credential Guard when that's active.)
There is the LSA "authentication package" API that klist.exe uses to read or purge tickets – and which MIT Kerberos uses to implement its MSLSA: credential cache type – but the comments in the MIT Krb5 code indicate that there is no function to manually insert custom TGTs nor custom service tickets.
Take a look at the existing MIT Krb5 implementation at:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_mslsa.c
– specifically the comment above krb5_lcc_store().
It might be easier to use a web browser that would directly use MIT Kerberos gssapi.dll instead of Windows SSPI… though at that point I don't really see much of a reason to use Kerberos at all. Honestly, I have questions about the whole premise of your operation.