Security Relevance of allowtgtsessionkey (Microsoft)
Ulrich Boche
ulrich.boche at web.de
Mon Oct 8 11:03:20 EDT 2007
In MS Windows, the registry key "allowtgtsessionkey" has to be set to
"1" to allow Kerberos java client code to function correctly. This is
the information in MS KB Article ID 308339:
"To provide better security, Microsoft has restricted an interface to
retrieve ticket-granting-ticket/session key pairs from the Kerberos
security package. Because some third-party programs may require this
functionality to operate properly, the following information has been
provided so you can re-enable this interface. "
I would appreciate an explanation what the security exposure might be
when enabling this key. Shouldn't attacks on the session key be
restricted by Kerberos pre-authentication?
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
More information about the Kerberos
mailing list