I’m struggling with a Windows application which uses MIT Kerberos for authentication.

If a user logs on to Windows with a domain user account, klist shows that he gets the expected tickets from the AD, including this one:

#1>     Client: jalf @ TESTREALM.COM
        Server: krbtgt/TESTREALM.COM @ TESTREALM.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 1/12/2012 9:46:27 (local)
        End Time:   1/12/2012 19:46:27 (local)
        Renew Time: 1/19/2012 9:46:27 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

However, when we try to use this ticket in our application, the Kerberos library does not seem to find that one.

Here’s a simplified version of the relevant code:

// Open the MSLSA cache
krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache);
// Create a cursor for traversing the cache
krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor);
// Check all the credentials in the cache
while (!(code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds)))  {
    // Find the one with the INITIAL flag set
    if ( creds.ticket_flags & TKT_FLG_INITIAL ) {
        // ticket found
        krb5_free_cred_contents(kcontext, &creds);
        break;
    }
    krb5_free_cred_contents(kcontext, &creds);
}

krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);

But for whatever reason, we never enter the // ticket found part.
Running the code in the debugger, I can see that it finds several of the other tickets shown by klist, but for some reason it never finds the one we’re interested in.

Can anyone explain this behavior, or how to get around it? Naively, I’d expect the output from klist to match the results of iterating over the cache with krb5_cc_next_cred.

I’m relatively new to Kerberos, and inherited this code from a coworker who left, so it’s possible that I’m missing some vital fundamental piece of information.