There is a registry key called “allowtgtsessionkey” that must be set in order for many Kerberos operations to succeed. By default, this key is not set in newer versions of Windows (Windows XP, Windows 2000 Server, Windows 2003 Server).
The session key of Kerberos Ticket Granting Ticket (TGT) is essentially the password for the TGT – it allows any service tickets created using the TGT to be decrypted. In an effort to tighten up security Microsoft turned off the automatic caching of the TGT session key in newer versions of Windows. However, it is a simple matter to turn session key caching back on by setting a Registry key called “allowtgtsessionkey”. You will save yourself a lot of trouble if you observe one of the following practices:
- When configuring a new machine for the first time, manually set the “allowtgtsessionkey”
- Include startup code in your software that sets the “allowtgtsessionkey” every time your software starts up
The key resides in different locations in the Registry for Windows XP than it does in Windows 2000 and 2003 Server.
To the Kerberos key, add a new DWORD_VALUE called “allowtgtsessionkey”, and assign it a value of 1.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ REG_DWORD name: allowtgtsessionkey Value: 1
Windows 2000 and 2003 Server
To the Parameters key, add a new DWORD_VALUE called “allowtgtsessionkey, and assign it a value of 1.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters REG_DWORD name: allowtgtsessionkey Value: 1