KfW 2.6 vs Windows 2003 Server: question to the community

Jeffrey Altman jaltman at columbia.edu
Mon Jan 19 16:45:59 EST 2004

In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been 
noticed that
due to a change in the MS LSA behavior, when reading a TGT from the LSA to
insert into the MIT ccache (ms2mit.exe) that the session key is no 
longer provided. 
This makes the TGT useless for applications which are expecting to use 
the TGT to
obtain additional tickets. 

There is a new registry key which can be set which will restore the 
behavior used in
Windows 2000 and XP. 

     AllowTGTSessionKey = 0x1 (DWORD)

The question is:  Should the Kerberos for Windows installer set this 
as part of the installation procedure on Windows 20003? 

If it is not set, should ms2mit.exe and Leash generate an error instead of
performing the ticket importation?



Jeffrey Altman
KfW Maintainer

More information about the krbdev mailing list