什么可能导致 Windows 上的 Kerberos TGT 会话密钥全为零
我最近问了一个关于我在让 MIT Kerberos 与 Microsoft 的 LSA 凭证缓存良好配合时遇到的一些问题。
有人告诉我,设置注册表项 AllowTGTSessionKey 应该可以解决该问题。
然而,我仍然遇到问题,现在我挖得更深了。
运行 klist tgt(使用 Microsoft 在 \windows\system32 中提供的 klist),在所有其他输出中,它会显示以下内容:
Session Key : KeyType 0x17 - RSADSI RC4-HMAC(NT)
: KeyLength 16 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
So, the session key is 仍然空白,尽管这是上面提到的注册表项应该解决的问题。
那么哪些其他条件可能会导致会话密钥被清空?
我现在已经尝试过各种用户帐户(域管理员、域用户、启用或不启用 UAC),但似乎没有什么区别。
那么,有谁知道问题可能是什么?或者知道解决方案(和/或丑陋的黑客解决方法)
I recently asked a question about some problems I was having getting MIT Kerberos to work nicely with Microsoft's LSA credentials cache.
I was told that setting the registry key AllowTGTSessionKey should fix the problem.
However, I'm still having problems, and now I dug a bit deeper.
Running klist tgt (using the klist provided by Microsoft in \windows\system32), it shows, among all the other output, this:
Session Key : KeyType 0x17 - RSADSI RC4-HMAC(NT)
: KeyLength 16 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
So, the session key is still blanked out, even though that was the problem the registry key mentioned above was supposed to solve.
So which other conditions might lead to the session key being blanked out?
I've tried with all sorts of user accounts now (domain admins, domain users, with and without UAC enabled), and nothing seems to make a difference.
So, does anyone know what the problem might be? Or know of a solution (and/or ugly hacky workaround)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,看起来我已经有了(相当愚蠢的)答案。
有问题的注册表项 (
AllowTGTSessionKey) 仅由 Windows 在启动时读取。所以设置后....你必须重新启动!
然后你就得到一个有效的会话密钥。
Ok, looks like I have the (rather embarassingly silly) answer.
The registry key in question (
AllowTGTSessionKey) is only read by Windows at startup.So after setting it.... you have to reboot!
And then you get a valid session key.