Note: The
MSLSA: credential cache relies on the ability to extract the entire
Kerberos ticket, including the session key from the Kerberos LSA. .
In an attempt to increase security, Microsoft has begun to implement a feature
by which they no longer export the session keys for Ticket Getting
Tickets, which can cause them to be useless to the IBM
® JGSS when attempts are made to request additional
service tickets. This new feature has been seen in Windows
® 2003 Server, Windows 2000 Server SP4, and Windows XP SP2 Beta. Microsoft has provided the following registry
key to disable this new feature:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
On Windows XP SP2 Beta 1 the key
is specified as:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey = 0x01 (DWORD)