Previous to the change that is described in the "Summary" section of this article, programs could use the Win32 LsaCallAuthenticationPackage API specifying KERB_RETRIEVE_TICKET_REQUEST and either KerbRetrieveEncodedTicketMessage or KerbRetrieveTicketMessage message types to retrieve a Kerberos ticket-granting-ticket (TGT) and the associated session key.
The registry value to include a session key in the TGT:
Value Name: allowtgtsessionkey
Value Type: REG_SZ
Value Range: 0 or 1 (default of 0)
- 0: The KerbRetrieveEncodedTicketMessage response will not include a session key that allows this TGT to be used for logon.
- 1: Indicates that a session key should be returned with the TGT according to current behavior.
Note With Windows 10 and Credential Guard, this approach is permanently disabled.