4 Replies Latest reply: Aug 13, 2009 2:34 AM by 843810 RSS

    The dreaded allowtgtsessionkey

    843810
      Hi,

      I have SSO working now for a JEE application using fat clients and JBoss. I implemented client and server loginmodules for that, and it all works fine. However, all the XP clients have to set the allowtgtsessionkey parameter in the registry (http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html)

      Is there a way of implementing SSO on Windows XP clients, without having to set the allowtgtsessionkey parameter with Java? I dont think I can use GSS-API then, does anyone know?

      Thanks,
      Alex
        • 1. Re: The dreaded allowtgtsessionkey
          843810
          You could have the user's authenticate locally on the Fat Client using Krb5LoginModule to generate a KeyTab information. You can also do this from the command line by using kinit under the bin folder in your JRE.

          This may not be the desired result, as they will be prompted for a username/password ~once every 24hrs.
          • 2. Re: The dreaded allowtgtsessionkey
            843810
            If you are receiving encryption type errors in the AppServer logs, try to set the encryption type for the appServer Machine account to DES. See Microsoft KB article 305144.
            • 3. Re: The dreaded allowtgtsessionkey
              843810
              Hi,

              wondering the same thing as DaGoldMan originally - is there some way of implementing SSO with Java with these newer Windows versions without having to set the allowtgtsessionkey? I don't feel so comfortable with messing up with clients registries...

              I'd like to verificate the logged on Windows user withouth him/her having to enter any usernames/passwords and the JAAS/GSS -Kerberos SSO seems otherwise a pretty good solution. If somebody got some ideas how to do this with JAAS/GSS or something else, be welcome =)

              b.r. Touko
              • 4. Re: The dreaded allowtgtsessionkey
                843810
                hi, could someone please answer me this question:

                if i DO set this parameter in the registry, what is the effect for my security? does it make the system more vulnerable and if yes: how and for what kind of attack?