KfW 2.6 vs Windows 2003 Server: question to the community

Douglas E. Engert deengert at anl.gov
Mon Jan 19 17:39:27 EST 2004

Jeffrey Altman wrote:
> In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
> noticed that
> due to a change in the MS LSA behavior, when reading a TGT from the LSA to
> insert into the MIT ccache (ms2mit.exe) that the session key is no
> longer provided.
> This makes the TGT useless for applications which are expecting to use
> the TGT to
> obtain additional tickets.
> There is a new registry key which can be set which will restore the
> behavior used in
> Windows 2000 and XP.
>    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>      AllowTGTSessionKey = 0x1 (DWORD)
> The question is:  Should the Kerberos for Windows installer set this
> parameter
> as part of the installation procedure on Windows 20003?

I would say yes, or you could make it an option to change it. If one is 
installing KfW, I would expect that one would in almost all cases want 
to use the TGT from login if available. 

> If it is not set, should ms2mit.exe and Leash generate an error instead of
> performing the ticket importation?

If there is an error message it should say this can be changed in the registry.  

> Thoughts?
> Thanks.
> Jeffrey Altman
> KfW Maintainer
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev


 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list