"key type not supported" and XP SP2 changes ?

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Tue Sep 7 14:12:37 EDT 2004


My comments below (inline).

Cheers, Tim 

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Jeffrey Altman
Sent: 07 September 2004 17:59
To: kerberos at MIT.EDU
Subject: Re: "key type not supported" and XP SP2 changes ?


The AllowTGTSessionKey registry value implemented in XP SP2 allows
the exportation of all TGT session keys.   Without this registry value
being set it will be impossible to extract a TGT from the LSA cache
which contains a valid session key of any type.  The AllowTGTSessionKey
flag does not have any impact on the session key type obtained from the
Active Directory KDC.

Tim> we don't want to extract a tgt from lsa cache. This is not
necessary because our Kerberos library interfaces with LSA and requests
a service ticket. The service ticket request is handled by MS code and
the MS Kerberos library (e.g. LSA) sends the request to MS AD KDC. Our
Kerberos library does not need any access to the Key, but since it sees
the key and we have validation code to check for etypes that are
supported (for other reasons) our code gives "key type not supported"

If you need a DES enctype from the LSA you should simply ask the LSA to
give you one using the EncryptionType field of the
KerbRetrieveTicketMessage are slightly different in each operating
system and service pack.  (The differences are not well documented.)

Tim> we are not looking to use DES enc type. The expectation is that RC4
keys can be used for TGT, but when a tgt is stored in the LSA cache we
don't see the RC4 key (e.g. AllowTGTSessionKey = 0). If we see the key
our code considers this to be an error - we are trying to avoid this but
cannot on pre-SP2 versions of XP.

The MIT Kerberos for Windows distribution hides all of the LSA cache
variations from the application via the MSLSA krb5_ccache type.  MIT's
implementation of course supports the RC4-HMAC enctype so it does not
suffer from the problems that implementations such as yours and Sun's
Java Kerberos run into.

Tim> Our code has a similar cache type to hide any specifics from the
application. Our implementation will eventually support the RC4 etype so
this will work better then, but we have an existing customer who cannot
deploy SP2 for a while and are trying to see if there is a short term
solution for them.

Tim> If MS were able to implement the AllowTgtSessionKey that is in SP2
so that it can be added by hotfix to SP1 XP workstations this will solve
our problem.

Jeffrey Altman

Tim Alsop wrote:

> Hi,
> As you can see below I am trying to find out if we can implement the 
> AllowTGTSessionKey registry setting in pre-SP2 versions of XP.
> There is no MSGINA replacement involved since the standard XP SP1 gina

> is being used to get the tgt. The tgt is obtained successfully, but 
> since the tgt is used to get a service ticket (in tgs-req) our 
> kerberos library on XP needs to read the LSA cred cache and it doesn't

> like the
> RC4 key it finds. We therefore need to find an easy way to stop this 
> key being exported on pre-SP2 versions of XP.
> Thanks, Tim. 

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
Kerberos mailing list           Kerberos at mit.edu

More information about the Kerberos mailing list