KfW 2.6 vs Windows 2003 Server: question to the community
Jeffrey Altman
jaltman at columbia.edu
Mon Jan 19 17:54:04 EST 2004
I would agree except that if you set the ccache to "MSLSA:" then you
do not need to perform an importation in order to use the logon
credentials.
Douglas E. Engert wrote:
>
>Jeffrey Altman wrote:
>
>>In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
>>noticed that
>>due to a change in the MS LSA behavior, when reading a TGT from the LSA to
>>insert into the MIT ccache (ms2mit.exe) that the session key is no
>>longer provided.
>>This makes the TGT useless for applications which are expecting to use
>>the TGT to
>>obtain additional tickets.
>>
>>There is a new registry key which can be set which will restore the
>>behavior used in
>>Windows 2000 and XP.
>>
>> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>> AllowTGTSessionKey = 0x1 (DWORD)
>>
>>The question is: Should the Kerberos for Windows installer set this
>>parameter
>>as part of the installation procedure on Windows 20003?
>>
>
>I would say yes, or you could make it an option to change it. If one is
>installing KfW, I would expect that one would in almost all cases want
>to use the TGT from login if available.
>
>
>>If it is not set, should ms2mit.exe and Leash generate an error instead of
>>performing the ticket importation?
>>
>
>If there is an error message it should say this can be changed in the registry.
>
>
>
>>Thoughts?
>>
>>Thanks.
>>
>>Jeffrey Altman
>>KfW Maintainer
>>
>>_______________________________________________
>>krbdev mailing list krbdev at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>
More information about the krbdev
mailing list