From 6db0f8c2309dbebb44893a0369a30ade74a1d348 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 31 Jan 2004 00:31:33 +0000 Subject: [PATCH] 2004-01-30 Jeffrey Altman Update the README file to include details on the new Windows registry key necessary to access the TGT session key when importing from MSLSA. Also, include compatibility details regarding the gss sample client and the Microsoft Platform SDK distributed versions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15988 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/ChangeLog | 7 +++++++ src/windows/README | 37 +++++++++++++++++++++++++++++++++++-- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog index eb3ba7f74..6d67dfa33 100644 --- a/src/windows/ChangeLog +++ b/src/windows/ChangeLog @@ -1,3 +1,10 @@ +2004-01-30 Jeffrey Altman + + * README: Update the text to include the details of the new + Windows registry keys necessary to access the TGT session key. + Also, provide details on the incompatibility of the gss.exe + sample client and the versions distributed by Microsoft. + 2003-12-22 Jeffrey Altman * README: Update to more clearly specify the build environment diff --git a/src/windows/README b/src/windows/README index 4f11314e3..50b6e40f2 100644 --- a/src/windows/README +++ b/src/windows/README @@ -222,9 +222,42 @@ The result of a real KSETUP configuration looks like this: Mapping jaltman@ATHENA.MIT.EDU to jaltman. Mapping all users (*) to a local account by the same name (*). +The MSLSA: credential cache relies on the ability to extract the entire +Kerberos ticket including the session key from the Kerberos LSA. In an +attempt to increase security Microsoft has begun to implement a feature +by which they no longer export the session keys for Ticket Getting Tickets. +This has the side effect of making them useless to the MIT krb5 library +when attempting to request additional service tickets. -Other Issues: ------------- +This new feature has been seen in Windows 2003 Server, Windows 2000 Server SP4, +and Windows XP SP2 Beta. We assume that it will be implemented in all future +Microsoft operating systems supporting the Kerberos SSPI. Microsoft does work +closely with MIT and has provided a registry key to disable this new feature. + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters + AllowTGTSessionKey = 0x01 (DWORD) + +On Windows XP SP2 Beta 1 the key was specified as + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos + AllowTGTSessionKey = 0x01 (DWORD) + +However, we anticipate that this will be changed to match the Server platforms +in time for SP2 RC1. + + +GSSAPI Sample Client: +--------------------- + +The GSS API Sample Client provided in this distribution is compatible with the +gss-server application built on Unix/Linux systems. This client is not compatible +with the Platform SDK/Samples/Security/SSPI/GSS/ samples which Microsoft has been +shipping as of January 2004. Revised versions of these samples are available upon +request to krbdev@mit.edu. Microsoft is committed to distribute revised samples +which are compatible with the MIT distributed tools in a future SDK and via MSDN. + +Kerberos 4 Library Support: +--------------------------- The krb4_32.dll that is built (but not installed) is not supported. If you need Kerberos 4, you can use the krbv4w32.dll that MIT -- 2.26.2