Security Relevance of allowtgtsessionkey (Microsoft)

[Ulrich Boche]

In MS Windows, the registry key "allowtgtsessionkey" has to be set to 
"1" to allow Kerberos java client code to function correctly. This is 
the information in MS KB Article ID 308339:

"To provide better security, Microsoft has restricted an interface to 
retrieve ticket-granting-ticket/session key pairs from the Kerberos 
security package. Because some third-party programs may require this 
functionality to operate properly, the following information has been 
provided so you can re-enable this interface. "

I would appreciate an explanation what the security exposure might be 
when enabling this key. Shouldn't attacks on the session key be 
restricted by Kerberos pre-authentication?
-- 
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner