Skip Menu |
 

Subject: KfW vs Windows 2003 Server
In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
noticed that
due to a change in the MS LSA behavior, when reading a TGT from the LSA to
insert into the MIT ccache (ms2mit.exe) that the session key is no
longer provided. This makes the TGT useless for applications which are
expecting to use the TGT to
obtain additional tickets.
There is a new registry key which can be set which will restore the
behavior used in
Windows 2000 and XP.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)

The question is: Should the Kerberos for Windows installer set this
parameter
as part of the installation procedure on Windows 20003?
If it is not set, should ms2mit.exe and Leash generate an error instead of
performing the ticket importation?
Feedback on krbdev from Doug and Paul indicate that the registry setting
should be set by the current installer. This will be done for 2.6 Beta 3.

However, we should in the future consider the possibility of making the
default ccache "MSLSA:" when the windows logon session is authenticated
with "kerberos lsa". For this reason I am leaving this issue open.
The key for non-Server versions of Windows is

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey = 0x1 (DWORD)

This is set by the KFW installers.

Although we are not currently setting the MSLSA as the default cache I
am going to close this ticket at this point because significant progress
has been made to improve the interoperability of the LSA cache. See
ticket 2705.