allowtgtsessionkey Registry Key

There is a registry key called “allowtgtsessionkey” that must be set in order for many Kerberos operations to succeed. By default, this key is not set in newer versions of Windows (Windows XP, Windows 2000 Server, Windows 2003 Server).

The session key of Kerberos Ticket Granting Ticket (TGT) is essentially the password for the TGT – it allows any service tickets created using the TGT to be decrypted. In an effort to tighten up security Microsoft turned off the automatic caching of the TGT session key in newer versions of Windows. However, it is a simple matter to turn session key caching back on by setting a Registry key called “allowtgtsessionkey”. You will save yourself a lot of trouble if you observe one of the following practices:

  1. When configuring a new machine for the first time, manually set the “allowtgtsessionkey”
  2. Include startup code in your software that sets the “allowtgtsessionkey” every time your software starts up

The key resides in different locations in the Registry for Windows XP than it does in Windows 2000 and 2003 Server.

Windows XP

To the Kerberos key, add a new DWORD_VALUE called “allowtgtsessionkey”, and assign it a value of 1.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
REG_DWORD name: allowtgtsessionkey
Value: 1

Windows 2000 and 2003 Server

To the Parameters key, add a new DWORD_VALUE called “allowtgtsessionkey, and assign it a value of 1.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
REG_DWORD name: allowtgtsessionkey
Value: 1