Windows LSA cache and Kerberos delegation

Venkat Iyer (veniyer) veniyer at
Wed Oct 12 19:38:41 UTC 2016

Do you know if the problem of obtaining TGT session key on Windows from LSA credential cache is resolved (see snippet below)? Microsoft has not been able to provide any guidance on steps to make it work. These steps below haven’t helped:

  *   Turn off UAC
  *   Remove Service Account for application from local administrators group
  *   Set the registry key “allowtgtsessionkey” to true

We need delegation support through the application to underlying Kerberized systems.

This reference was very useful to troubleshoot the issues.

Known Issues

   If an AD account is also added into local administrator group on the
   client PC, Microsoft restricts such client from getting the session key
   for tickets (even if you set the allowtgtsessionkey registry key to 1).
   The workaround is: Just forget you're a logged in user, call kinit.exe.
   Do not depends on LSA credential cache.

   In a recent hotfix ([35],
   should be included in Vista SP1), this restriction is lifted for normal
   service tickets. However, it still applies to TGT. Since Java uses TGT
   to acquire tickets for other services (the standard Kerberos process),
   this update provides no benefit to JGSS programming on Windows.
   Furthermore, even if the implementation of Java is changed to read
   service tickets from the LSA cache, it still cannot perform delegation,
   since a TGT is always needed in that case.

Appreciate any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list