Using ms2mit...risks?

Greg Hudson ghudson at mit.edu
Tue Sep 17 12:27:24 EDT 2019


On 9/17/19 8:31 AM, John Devitofranceschi wrote:
> What are the risks of using ms2mit to create an API: ccache?  What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?

My best understanding is that, for a user account with administrator
privileges, a process with access to a TGT can escalate privilege
without a UAC prompt.  This risk would apply regardless of whether the
TGT is obtained from the native LSA ccache or if it was stored in an API
or FILE ccache.


More information about the Kerberos mailing list