Security Relevance of allowtgtsessionkey (Microsoft)

Ulrich Boche ulrich.boche at
Mon Oct 8 11:03:20 EDT 2007

In MS Windows, the registry key "allowtgtsessionkey" has to be set to 
"1" to allow Kerberos java client code to function correctly. This is 
the information in MS KB Article ID 308339:

"To provide better security, Microsoft has restricted an interface to 
retrieve ticket-granting-ticket/session key pairs from the Kerberos 
security package. Because some third-party programs may require this 
functionality to operate properly, the following information has been 
provided so you can re-enable this interface. "

I would appreciate an explanation what the security exposure might be 
when enabling this key. Shouldn't attacks on the session key be 
restricted by Kerberos pre-authentication?
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

More information about the Kerberos mailing list