KfW 2.6 vs Windows 2003 Server: question to the community
Jeffrey Altman
jaltman at columbia.edu
Mon Jan 19 16:45:59 EST 2004
In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
noticed that
due to a change in the MS LSA behavior, when reading a TGT from the LSA to
insert into the MIT ccache (ms2mit.exe) that the session key is no
longer provided.
This makes the TGT useless for applications which are expecting to use
the TGT to
obtain additional tickets.
There is a new registry key which can be set which will restore the
behavior used in
Windows 2000 and XP.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)
The question is: Should the Kerberos for Windows installer set this
parameter
as part of the installation procedure on Windows 20003?
If it is not set, should ms2mit.exe and Leash generate an error instead of
performing the ticket importation?
Thoughts?
Thanks.
Jeffrey Altman
KfW Maintainer
More information about the krbdev
mailing list