[28549] in Kerberos
Security Relevance of allowtgtsessionkey (Microsoft)
daemon@ATHENA.MIT.EDU (Ulrich Boche)
Mon Oct 8 11:15:25 2007
From: Ulrich Boche <ulrich.boche@web.de>
Date: Mon, 08 Oct 2007 17:03:20 +0200
Message-ID: <5muv5pFf3v7iU1@mid.individual.net>
Mime-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
In MS Windows, the registry key "allowtgtsessionkey" has to be set to
"1" to allow Kerberos java client code to function correctly. This is
the information in MS KB Article ID 308339:
"To provide better security, Microsoft has restricted an interface to
retrieve ticket-granting-ticket/session key pairs from the Kerberos
security package. Because some third-party programs may require this
functionality to operate properly, the following information has been
provided so you can re-enable this interface. "
I would appreciate an explanation what the security exposure might be
when enabling this key. Shouldn't attacks on the session key be
restricted by Kerberos pre-authentication?
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos