"key type not supported" and XP SP2 changes ?

Jeffrey Altman jaltman2 at nyc.rr.com
Tue Sep 7 12:58:55 EDT 2004


The AllowTGTSessionKey registry value implemented in XP SP2 allows
the exportation of all TGT session keys.   Without this registry value
being set it will be impossible to extract a TGT from the LSA cache
which contains a valid session key of any type.  The AllowTGTSessionKey
flag does not have any impact on the session key type obtained from
the Active Directory KDC.

If you need a DES enctype from the LSA you should simply ask the LSA to 
give you one using the EncryptionType field of the 
KERB_RETRIEVE_TICKET_REQUEST.  The behaviors of the 
KerbRetrieveTicketMessage are slightly different in each operating 
system and service pack.  (The differences are not well documented.)

The MIT Kerberos for Windows distribution hides all of the LSA cache
variations from the application via the MSLSA krb5_ccache type.  MIT's
implementation of course supports the RC4-HMAC enctype so it does not
suffer from the problems that implementations such as yours and Sun's 
Java Kerberos run into.

Jeffrey Altman

Tim Alsop wrote:

> Hi,
> As you can see below I am trying to find out if we can implement the
> AllowTGTSessionKey registry setting in pre-SP2 versions of XP.
> There is no MSGINA replacement involved since the standard XP SP1 gina
> is being used to get the tgt. The tgt is obtained successfully, but
> since the tgt is used to get a service ticket (in tgs-req) our kerberos
> library on XP needs to read the LSA cred cache and it doesn't like the
> RC4 key it finds. We therefore need to find an easy way to stop this key
> being exported on pre-SP2 versions of XP.
> Thanks, Tim. 

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list