Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What can cause a Kerberos TGT session key on Windows to be all zeros

Tags:

kerberos

lsa

I recently asked a question about some problems I was having getting MIT Kerberos to work nicely with Microsoft's LSA credentials cache.

I was told that setting the registry key AllowTGTSessionKey should fix the problem.

However, I'm still having problems, and now I dug a bit deeper.

Running klist tgt (using the klist provided by Microsoft in \windows\system32), it shows, among all the other output, this:

Session Key        : KeyType 0x17 - RSADSI RC4-HMAC(NT)
                   : KeyLength 16 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

So, the session key is still blanked out, even though that was the problem the registry key mentioned above was supposed to solve.

So which other conditions might lead to the session key being blanked out?

I've tried with all sorts of user accounts now (domain admins, domain users, with and without UAC enabled), and nothing seems to make a difference.

So, does anyone know what the problem might be? Or know of a solution (and/or ugly hacky workaround)

like image 360
jalf Avatar asked Jan 17 '12 15:01

jalf

People also ask

What is a Kerberos authentication ticket TGT?

An authentication ticket, also known as a ticket-granting ticket (TGT), is a small amount of encrypted data that is issued by a server in the Kerberos authentication model to begin the authentication process.

What key is used to encrypt the reply from the KDC TGS to the user?

The reply-encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long-term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key.

What is LSA Kerberos?

You can implement Kerberos authentication using an API for interacting with the Local Security Authority (LSA) service — a system service for creating a logon session on a local computer. This method can be used, for instance, with Credential Provider features for logging in to the system without entering a password.

1 Answers

Ok, looks like I have the (rather embarassingly silly) answer.

The registry key in question (AllowTGTSessionKey) is only read by Windows at startup.

So after setting it.... you have to reboot!

And then you get a valid session key.

like image 107
jalf Avatar answered Sep 25 '22 07:09

jalf
Sign in to Comment

Related questions

"Can't get Kerberos realm" on yarn cluster
HttpClient check Kerberos secured webpage. NTLM login didn't work
Connect to Impala using impyla client with Kerberos auth
Configure Firefox 3.0.x to authenticate with Kerberos and not prompt
KDC has no support for encryption type (14)
JAAS - fails to persist Kerberos ticket to cache file, and unable to create cache from scratch.. and other details
Kafka Java Producer with kerberos
GSSException: [..] Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled
download a file from a server with kerberos authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!