Here's the relevant documentation on this:

Configuring Client Machines to Use Integrated Windows Authentication
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1ocmfw9o3fbmhn1p3jb4y5py6ci.htm#n0r9447nh...

This has a link to the cryptographic extensions and discusses the registry key. You would not need to set up a script to search for your TGT in Windows as the key is stored in memory.

Aha I was hoping you would reply 🙂 we are not opting for the MIT KDC setup, instead going this route of updating WIN registry, per Stuart's article (M2). I was looking at Cloudera's JDBC Hive driver and its manual, even they mention setting up separate MIT KDC and to get file based ticket and KRB5CCNAME setup. Is there a way to figure out to get the memory value just so the ticket could be validated? Like one could put for KRB5CCNAME? Since I have your attention, por favor, I was unclear if I needed to set JAAS config if I am going with memory setup?

Much thanks for your input and time!

Is this the article from Stuart Rogers you're referencing?

SAS® 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop
https://support.sas.com/resources/papers/proceedings18/1878-2018.pdf

The "MICROSOFT WINDOWS CHALLENGES" section I believe is what we're referencing.

I don't think you need to set anything in KRB5CCNAME, this is all handled by the Windows kerberos libraries.

I believe the configuration of IWA using jaas.config would be the same.

From the document, the registry key setting is what let's the Java process spawned by the Workspace Server access the in memory token when it does not use the GSS-API.

From this documentation from Microsoft, the AllowTgtSessionKey registry entry is not enabled if UAC is turned on, which seems to be a progression from what Stuart described in his paper:

"With active Credential Guard in Windows 10 and later versions of Windows, you can't enable sharing the TGT session keys with applications anymore."
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-reg...

Microsoft Windows Defender Credential Guard
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1b9dyri8d3laxn1vam7bhew73cu.htm

Much thanks, I think at this stage I am attempting to set kerberos outbound only.
1. Asked for uncontrained trusted for delegation
2. Found this linek for unlimited JCE https://support.azul.com/hc/en-us/articles/115001122623-Java-Cryptography-Extension-JCE-for-Azul-Zul...  looks like do not need to download and provide.
3. Will ask to review the URLs you shared re. WIN specific issues

Greg, I did run klist on sas server and received output, however, when I did that from klist in SAS private JRE location I received the "credentials cache  C:\Users\my-id\krb5ccname_my-id not found I have not enabled desktop IWA yet nor did the jaas.config implemented, would that be the issue? I did have the AllowTgtSessionKey set.

I do appreciate these insights!

You might need to run kinit from that same path for klist to produce results.