How does MIT Kerberos SDK works with MSLSA:

Douglas E. Engert deengert at
Tue Jan 29 12:29:33 EST 2013

On 1/28/2013 10:17 PM, deepak kumar wrote:
> Hi All,
> I have been working on  developing  Client and a  Service application for
> Windows as a prototype. These prototypes should do kerberos based mutual
> authentication where client should authenticate using the logged on
> credentials of the logged in windows user.
> I am using Kerberos for Windows 4.
> Now if i do klist MSLSA: on command prompt, I get a list of service ticket
> like
> HOST/........
> LDAP/.......
> cifs/.......
> but I don't see any krbtgt (TGT).
> But the client application still works as long as there is any service
> ticket available(visible in klist).
> After a while service tickets expires and klist start returning empty list.
> At this time the client aplication start to fail saying  credential cache
> is empty..
> If I keep waiting for some time some other service ticket will
> automatically get generated and application will start working again.
> I know by setting  enabletgtseesionkey registry entry to true. will allow
> us to see TGT using klist. but we don't want to change any registry
> settings...

You mean allowtgtsessionkey?

Keep in mind that Windows is keeping the session key private so an
application can not steel the TGT and misuse it. Yet the Windows
Kerberos/SSPI can get service tickets for applications without the
application requiring access to the TGT key.

The allowtgtsessionkey was a concession by Microsoft that there are
times when an application using some external Kerberos library needs
access to the session key.

> I want to know how the client application is working without TGT. and why
> service ticket dissappear after expiry time .Is there any way to get them
> renewed  automatically.

The TGT in the MSLSA can be renewable see:

under: Renewable TGTs.

> Thanks
> Deepak
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list