"key type not supported" and XP SP2 changes ?

Jeffrey Altman jaltman2 at nyc.rr.com
Tue Sep 7 15:30:06 EDT 2004

Tim Alsop wrote:

> Tim> we don't want to extract a tgt from lsa cache. This is not
> necessary because our Kerberos library interfaces with LSA and requests
> a service ticket. The service ticket request is handled by MS code and
> the MS Kerberos library (e.g. LSA) sends the request to MS AD KDC. Our
> Kerberos library does not need any access to the Key, but since it sees
> the key and we have validation code to check for etypes that are
> supported (for other reasons) our code gives "key type not supported"
> error.

If you are not requesting the TGT then the AllowTGTSessionKey flag
does not come into play at all.

> Tim> we are not looking to use DES enc type. The expectation is that RC4
> keys can be used for TGT, but when a tgt is stored in the LSA cache we
> don't see the RC4 key (e.g. AllowTGTSessionKey = 0). If we see the key
> our code considers this to be an error - we are trying to avoid this but
> cannot on pre-SP2 versions of XP.

What AllowTGTSessionKey does is allow the session key to be exported.
If it cannot be exported the encryption type is set to 0 (ENCTYPE_NULL).

I really suggest that you fix your code.  Setting the AllowTGTSessionKey
value to 0 breaks KFW and it breaks Java Kerberos.

> Tim> Our code has a similar cache type to hide any specifics from the
> application. Our implementation will eventually support the RC4 etype so
> this will work better then, but we have an existing customer who cannot
> deploy SP2 for a while and are trying to see if there is a short term
> solution for them.

Your statements are so confusing.  You have said repeatedly that the
reason you need to AllowTGTSessionKey flag is because you need to hide
the RC4-HMAC enctype from your application.  But now you say the 
customer is having problems installing XP SP2 which is where the default
behavior is "AllowTGTSessionKey = 0.  Which is it?

> Tim> If MS were able to implement the AllowTgtSessionKey that is in SP2
> so that it can be added by hotfix to SP1 XP workstations this will solve
> our problem.

My confusion continues.  How does this solve your problem?
Why is your application caring about the session key enctype of the TGT
when it is not attempting to use the TGT to obtain a service ticket?

Jeffrey Altman

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list