KfW 2.6 vs Windows 2003 Server: question to the community
Douglas E. Engert
deengert at anl.gov
Mon Jan 19 17:39:27 EST 2004
Jeffrey Altman wrote:
>
> In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
> noticed that
> due to a change in the MS LSA behavior, when reading a TGT from the LSA to
> insert into the MIT ccache (ms2mit.exe) that the session key is no
> longer provided.
> This makes the TGT useless for applications which are expecting to use
> the TGT to
> obtain additional tickets.
>
> There is a new registry key which can be set which will restore the
> behavior used in
> Windows 2000 and XP.
>
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> AllowTGTSessionKey = 0x1 (DWORD)
>
> The question is: Should the Kerberos for Windows installer set this
> parameter
> as part of the installation procedure on Windows 20003?
I would say yes, or you could make it an option to change it. If one is
installing KfW, I would expect that one would in almost all cases want
to use the TGT from login if available.
>
> If it is not set, should ms2mit.exe and Leash generate an error instead of
> performing the ticket importation?
If there is an error message it should say this can be changed in the registry.
>
> Thoughts?
>
> Thanks.
>
> Jeffrey Altman
> KfW Maintainer
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list