diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2004-01-31 00:31:33 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2004-01-31 00:31:33 +0000 |
| commit | 6db0f8c2309dbebb44893a0369a30ade74a1d348 (patch) | |
| tree | a6a79fbb43f7470d1afa82570377aa2ed4212d67 /src/windows/README | |
| parent | 47d5889c35038d022cf31dc1ac68260789d9c011 (diff) | |
| download | krb5-6db0f8c2309dbebb44893a0369a30ade74a1d348.tar.gz krb5-6db0f8c2309dbebb44893a0369a30ade74a1d348.tar.xz krb5-6db0f8c2309dbebb44893a0369a30ade74a1d348.zip | |
2004-01-30 Jeffrey Altman <jaltman@mit.edu>
Update the README file to include details on the new Windows registry
key necessary to access the TGT session key when importing from MSLSA.
Also, include compatibility details regarding the gss sample client and
the Microsoft Platform SDK distributed versions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15988 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/windows/README')
| -rw-r--r-- | src/windows/README | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/src/windows/README b/src/windows/README index 4f11314e33..50b6e40f2e 100644 --- a/src/windows/README +++ b/src/windows/README @@ -222,9 +222,42 @@ The result of a real KSETUP configuration looks like this: Mapping jaltman@ATHENA.MIT.EDU to jaltman. Mapping all users (*) to a local account by the same name (*). +The MSLSA: credential cache relies on the ability to extract the entire +Kerberos ticket including the session key from the Kerberos LSA. In an +attempt to increase security Microsoft has begun to implement a feature +by which they no longer export the session keys for Ticket Getting Tickets. +This has the side effect of making them useless to the MIT krb5 library +when attempting to request additional service tickets. -Other Issues: ------------- +This new feature has been seen in Windows 2003 Server, Windows 2000 Server SP4, +and Windows XP SP2 Beta. We assume that it will be implemented in all future +Microsoft operating systems supporting the Kerberos SSPI. Microsoft does work +closely with MIT and has provided a registry key to disable this new feature. + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters + AllowTGTSessionKey = 0x01 (DWORD) + +On Windows XP SP2 Beta 1 the key was specified as + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos + AllowTGTSessionKey = 0x01 (DWORD) + +However, we anticipate that this will be changed to match the Server platforms +in time for SP2 RC1. + + +GSSAPI Sample Client: +--------------------- + +The GSS API Sample Client provided in this distribution is compatible with the +gss-server application built on Unix/Linux systems. This client is not compatible +with the Platform SDK/Samples/Security/SSPI/GSS/ samples which Microsoft has been +shipping as of January 2004. Revised versions of these samples are available upon +request to krbdev@mit.edu. Microsoft is committed to distribute revised samples +which are compatible with the MIT distributed tools in a future SDK and via MSDN. + +Kerberos 4 Library Support: +--------------------------- The krb4_32.dll that is built (but not installed) is not supported. If you need Kerberos 4, you can use the krbv4w32.dll that MIT |