Registry Key to Allow Session Keys to Be Sent in Kerberos Ticket-Granting-Ticket

Article ID: 308339 - View products that this article applies to.
This article was previously published under Q308339
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986
(http://support.microsoft.com/kb/256986/EN-US/ )
Description of the Microsoft Windows Registry
Expand all | Collapse all

SUMMARY

To provide better security, Microsoft has restricted an interface to retrieve ticket-granting-ticket/session key pairs from the Kerberos security package. Because some third-party programs may require this functionality to operate properly, the following information has been provided so you can re-enable this interface.

For additional information about the latest service pack for Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:
260910
(http://support.microsoft.com/kb/260910/EN-US/ )
How to Obtain the Latest Windows 2000 Service Pack

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Previous to the change that is described in the "Summary" section of this article, programs could use the Win32 LsaCallAuthenticationPackage API specifying KERB_RETRIEVE_TICKET_REQUEST and either KerbRetrieveEncodedTicketMessage or KerbRetrieveTicketMessage message types to retrieve a Kerberos ticket-granting-ticket (TGT) and the associated session key.

The registry value to include a session key in the TGT:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_SZ
Value Range: 0 or 1 (default of 0)
  • 0: The KerbRetrieveEncodedTicketMessage response will not include a session key that allows this TGT to be used for logon.
  • 1: Indicates that a session key should be returned with the TGT according to current behavior.

Properties

Article ID: 308339 - Last Review: February 28, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbenv kbinfo kbnetwork kbsecurity kbwin2000sp3fix KB308339
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top