[28549] in Kerberos

home help back first fref pref prev next nref lref last post

Security Relevance of allowtgtsessionkey (Microsoft)

daemon@ATHENA.MIT.EDU (Ulrich Boche)
Mon Oct 8 11:15:25 2007

From: Ulrich Boche <ulrich.boche@web.de>
Date: Mon, 08 Oct 2007 17:03:20 +0200
Message-ID: <5muv5pFf3v7iU1@mid.individual.net>
Mime-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

In MS Windows, the registry key "allowtgtsessionkey" has to be set to 
"1" to allow Kerberos java client code to function correctly. This is 
the information in MS KB Article ID 308339:

"To provide better security, Microsoft has restricted an interface to 
retrieve ticket-granting-ticket/session key pairs from the Kerberos 
security package. Because some third-party programs may require this 
functionality to operate properly, the following information has been 
provided so you can re-enable this interface. "

I would appreciate an explanation what the security exposure might be 
when enabling this key. Shouldn't attacks on the session key be 
restricted by Kerberos pre-authentication?
-- 
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post