KfW 2.6 vs Windows 2003 Server: question to the community

Douglas E. Engert deengert at anl.gov
Mon Jan 19 18:12:59 EST 2004 


Jeffrey Altman wrote:
> 
> I would agree except that if you set the ccache to "MSLSA:" then you
> do not need to perform an importation in order to use the logon
> credentials.

Well, can one always use the MSLSA: as the cache? Or are there some 
situations where this can not be done, and the only way
around is to get the TGT key.   

It soulds like 2003 is trying to improve the security be not allowing
the TGT key to be handed out to applictions. Is there anyway to 
treat leash or ms2mit as more trusted then other applications? 
(Should they be more trusted?) 

 

> 
> Douglas E. Engert wrote:
> 
> >
> >Jeffrey Altman wrote:
> >
> >>In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
> >>noticed that
> >>due to a change in the MS LSA behavior, when reading a TGT from the LSA to
> >>insert into the MIT ccache (ms2mit.exe) that the session key is no
> >>longer provided.
> >>This makes the TGT useless for applications which are expecting to use
> >>the TGT to
> >>obtain additional tickets.
> >>
> >>There is a new registry key which can be set which will restore the
> >>behavior used in
> >>Windows 2000 and XP.
> >>
> >>   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> >>     AllowTGTSessionKey = 0x1 (DWORD)
> >>
> >>The question is:  Should the Kerberos for Windows installer set this
> >>parameter
> >>as part of the installation procedure on Windows 20003?
> >>
> >
> >I would say yes, or you could make it an option to change it. If one is
> >installing KfW, I would expect that one would in almost all cases want
> >to use the TGT from login if available.
> >
> >
> >>If it is not set, should ms2mit.exe and Leash generate an error instead of
> >>performing the ticket importation?
> >>
> >
> >If there is an error message it should say this can be changed in the registry.
> >
> >
> >
> >>Thoughts?
> >>
> >>Thanks.
> >>
> >>Jeffrey Altman
> >>KfW Maintainer
> >>
> >>_______________________________________________
> >>krbdev mailing list             krbdev at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/krbdev
> >>
> >
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list