Microsoft has restricted the interface to retrieve ticket-granting-ticket/session key pairs from the Kerberos security package. This feature affects all programs that use LSA API to obtain the native TGT on Windows.
MIT has the same suggestion. Check out the MIT Kerberos release notes for Windows. You will find the notes on "AllowTGTSessionKey" registry key. http://web.mit.edu/kerberos/www/kfw-2.6/kfw-2.6.5/relnotes.html Seema David Shambroom wrote: >Unfortunately, use of "useTicketCache=true" was broken by Windows 2000 SP4 and >Windows XP SP2. Sun has the following suggestion in: >file:///C:/Program%20Files/Java/jdk1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html > >===BEGIN QUOTE=== >Cause 2: This exception is thrown when using native ticket cache on some >Windows >platforms. Microsoft has added a new feature in which they no longer export >the >session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT >obtained on Windows has an "empty" session key and null EType. The effected >platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 >(SP4) >and Windows XP SP2. > >Solution 2: You need to update the Windows registry to disable this new >feature. >The registry key allowtgtsessionkey should be added--and set correctly--to >allow >session keys to be sent in the Kerberos Ticket-Granting Ticket. > >On the Windows Server 2003 and Windows 2000 SP4, here is the required registry >setting: > >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters >Value Name: allowtgtsessionkey >Value Type: REG_DWORD >Value: 0x01 ( default is 0 ) > >By default, the value is 0; setting it to "0x01" allows a session key to be >included in the TGT. > >Here is the location of the registry setting on Windows XP SP2: > >HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ >Value Name: allowtgtsessionkey >Value Type: REG_DWORD >Value: 0x01 >===END QUOTE=== > >The suggested registry addition works for W2K, but not the one for XP (at >least >not for me). Has anyone successfully tested this on XP, or is there something >else that needs to be done? > >--Dave > >[EMAIL PROTECTED] wrote: > > >>Date: Tue, 22 Feb 2005 10:10:15 -0800 >>From: Seema Malkani <[EMAIL PROTECTED]> >>To: "Wells, Bruce" <[EMAIL PROTECTED]> >>Cc: [EMAIL PROTECTED] >>Cc: Kerberos MIT <kerberos@mit.edu> >>Subject: Re: Acquiring credentials for a Principal in Java on XP client >>Message-ID: <[EMAIL PROTECTED]> >>In-Reply-To: >> <[EMAIL PROTECTED]> >>References: >> <[EMAIL PROTECTED]> >>Content-Type: text/plain; charset=ISO-8859-15 >>MIME-Version: 1.0 >>Content-Transfer-Encoding: 7BIT >>Precedence: list >>Message: 1 >> >>Java Kerberos can be configured to acquire the native credentials. JAAS >>Krb5LoginModule will acquire native TGT on Windows via the LSA API if >>the option "useTicketCache=true" has been set. >> >>For details on how to achieve Single Sign-On using Java Kerberos refer to: >>http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/single-signon.html >> >>In addition, you can refer to following JavaOne Security Lab. >>7133 - Advanced Security Programming in the J2SE Platform, Version 1.5: >> Authentication, Secure Communication, and Single Sign-on >> >>Seema >> >>In addition, you can refer to >> >>Wells, Bruce wrote: >> >> >> >> >>>Hello to all, >>>How can I go about acquiring the credentials for the current logged on >>>user >>>on an XP client in Java. I need to establish a context between the Java >>>app >>>and a kerberized service via GSS >>> >>>TIA, >>>Bruce. >>> >>> >________________________________________________ >Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
