Problems with kerberos Windows XP sp2

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jan 10 10:17:48 EST 2005


Windows XP SP2 like Windows 2003 does not allow the exporting of the 
Kerberos TGT session key by default.  You must add the following keys
depending on whether you are using a Server or Client operation system:

Server OS:

   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

     AllowTGTSessionKey = 0x01 (DWORD)

Client OS:

   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

     AllowTGTSessionKey = 0x01 (DWORD)

Jeffrey Altman


Miika Parvio wrote:

> Hello!
> 
> I just got work SSO authentication against AD using JAAS. But then I 
> installed SP2 to my Windows XP, and nothing works anymore.
> 
> Maybe I explain, what my application did, before I updated to SP2:
> 
> 1) Authenticate current user with SS0 against AD. This was done by JAAS 
> and com.sun.security.auth.module.Krb5LoginModule.
> 2) Use current authentication information to get group information of
>     authenticated user from AD. This was done by JNDI like this:
> 
> JndiAction action = new JndiAction(args);
> Subject.doAs(lc.getSubject(), action);
> lc is LoginContect object.
> 
> Everything worked with SP1 very well.
> 
> When I istalled SP 2, situation looks like this:
> 1) Authenticate current user with SSO against AD.
>   -no erros, so I assume that everything wents well.
> 2) Use current authentication information to get group information of
>     authenticated user from AD.
> An exception is occurred:
> javax.naming.AuthenticationException: GSSAPI [Root exception is 
> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: KDC has no 
> support for encryption type (14))]] GSSAPI
> 
> What should I do?
> 
> If I don't Use SSO, everything works fine. Do I need some batches to fix 
> this problem or what?
> 
> Miika Parvio
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list