"key type not supported" and XP SP2 changes ?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Tue Sep 7 11:51:37 EDT 2004 

Hi,

As you can see below I am trying to find out if we can implement the
AllowTGTSessionKey registry setting in pre-SP2 versions of XP.

There is no MSGINA replacement involved since the standard XP SP1 gina
is being used to get the tgt. The tgt is obtained successfully, but
since the tgt is used to get a service ticket (in tgs-req) our kerberos
library on XP needs to read the LSA cred cache and it doesn't like the
RC4 key it finds. We therefore need to find an easy way to stop this key
being exported on pre-SP2 versions of XP.

Thanks, Tim. 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at columbia.edu] 
Sent: 07 September 2004 16:12
To: Tim Alsop
Cc: ietf-krb-wg at anl.gov
Subject: Re: "key type not supported" and XP SP2 changes ?

I am confused about two things:

(1) why is this discussion taking place on an IETF mailing list?
     an appropriate place for this discussion would be kerberos at mit.edu
     or one of the Microsoft specific security newsgroups

(2) AllowTGTSessionKey applies to Windows 2003 and XP SP2 (and may
     apply to a future 2000 service pack).  In all other versions of
     Windows, the TGT session key will always be exported upon request.
     Therefore, if you have an RC4 session key in the TGT, then it will
     be exported by default on pre-XP SP2 systems but not in XP SP2.
     Your problem description therefore seems reversed.

I suggest you post this query to kerberos at mit.edu and include a
description of what your MSGINA does to obtain a TGT.

Jeffrey Altman



Tim Alsop wrote:

> Hi,
>  
> After further investigation the reason for this problem has been 
> identified. It is occuring because of AllowTgtSessionKey not being a 
> valid registry setting in XP SP1. Basically the Kerberos library does 
> not recognise RC4 session keys so it gives an error, but if 
> AllowTGTSessionKey is 0 (default on SP2) it does not see a session key

> that it doesn't recognise.
>  
> The customer that this problem relates to is not planning to install 
> SP2 for about 9 months so we need to see if there is a way to 
> implement the AllowTGTSessionKey as a hotfix to SP1 instead of 
> installing SP2. Does anybody know if there is such a fix available ?
>  
> Thanks, Tim.
> 
> ----------------------------------------------------------------------
> --
> *From:* owner-ietf-krb-wg at achilles.ctd.anl.gov
> [mailto:owner-ietf-krb-wg at achilles.ctd.anl.gov] *On Behalf Of *Tim 
> Alsop
> *Sent:* 07 September 2004 12:28
> *To:* ietf-krb-wg at anl.gov
> *Subject:* "key type not supported" and XP SP2 changes ?
> 
> Hi,
> We are using a gss-api library that only supports DES and 3DES - when 
> we initiate a security context using an RC4 tgt issued during MS GINA 
> logon we can obtain a service ticket (using DES-MD5) from AD KDC, but 
> only if Windows XP SP2 is installed. If we remove SP2 and go back to 
> SP1 we get "key type not supported". We are therefore trying to find 
> out what changes were made in SP2 that might cause this to occur ? 
> Does anybody have any ideas ?
> Thanks, Tim

More information about the Kerberos mailing list