Subject: | KfW vs Windows 2003 Server |
In the process of testing KfW 2.6 Beta 2 on Windows 2003, it has been
noticed that
due to a change in the MS LSA behavior, when reading a TGT from the LSA to
insert into the MIT ccache (ms2mit.exe) that the session key is no
longer provided. This makes the TGT useless for applications which are
expecting to use the TGT to
obtain additional tickets.
There is a new registry key which can be set which will restore the
behavior used in
Windows 2000 and XP.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)
The question is: Should the Kerberos for Windows installer set this
parameter
as part of the installation procedure on Windows 20003?
If it is not set, should ms2mit.exe and Leash generate an error instead of
performing the ticket importation?
noticed that
due to a change in the MS LSA behavior, when reading a TGT from the LSA to
insert into the MIT ccache (ms2mit.exe) that the session key is no
longer provided. This makes the TGT useless for applications which are
expecting to use the TGT to
obtain additional tickets.
There is a new registry key which can be set which will restore the
behavior used in
Windows 2000 and XP.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)
The question is: Should the Kerberos for Windows installer set this
parameter
as part of the installation procedure on Windows 20003?
If it is not set, should ms2mit.exe and Leash generate an error instead of
performing the ticket importation?