So, we’re trying to get kfw-4.1 working in a development environment that’s using Microsoft App V to deliver applications in a virtual format.

In general things are working, but ms2mit is giving the "Initial tgt’s are not available from the MS LSA” error

I can see that “AllowTGTSessionKey” is set to ‘1’ in the virtual registry. Is that not sufficient? Any way around this?

Thanks in advance for any hints or pointers to hints.

jd MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDMkw ggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNV BAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAxNDA3MzY1NVoX DTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10 oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5 CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ 6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+ TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60 LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4 fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCy QQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOP MVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZC dB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBdBggrBgEFBQcB AQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsGAQUFBzAChhxo dHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGBkEowMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDANBgkqhkiG9w0B AQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8hV+5e0KRwpn9 G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7FgbmwueTuYVN l0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSzvBTi86QfHjL8 JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8/4uK9VEiqogw AOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO0BZh5eUKbL8X x3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc0usBbKAXpS0Q 65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+WTubJXpWYwBk uV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxGoY/0x3bjoVlX 93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu1pmCE0HSbqUb mSeA5wupqAAwgga5MIIEoaADAgECAgMC4EIwDQYJKoZIhvcNAQELBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0 IENsYXNzIDMgUm9vdDAeFw0yMDAyMjIxMzUyMzdaFw0yMjAyMjExMzUyMzdaMIIBEzEeMBwGA1UE AxMVSm9obiBEZXZpdG9mcmFuY2VzY2hpMR8wHQYJKoZIhvcNAQkBFhBqZHZmQGhvdG1haWwuY29t MR8wHQYJKoZIhvcNAQkBFhBmb29ub25AZ21haWwuY29tMSAwHgYJKoZIhvcNAQkBFhFmb29ub25A aWNsb3VkLmNvbTEwMC4GCSqGSIb3DQEJARYham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2su Y29tMS4wLAYJKoZIhvcNAQkBFh9qb2huLmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tMSswKQYJ KoZIhvcNAQkBFhxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAzpN0oN/ZobcHyH7SxKKZvySYr674JJxZeVxLjACL8QQxz+/rJFZha5L9 VtfmPLqBw3YYJLeP50O9HanH3DL9VI8wkLRM9/SaFVjgMLC5HxSyeOifecApsHN6B1fskScJMSjJ 9MvbVqm5MXraEmXEA/nhjcNkuSg9qBJdmHaEK7gqmUxTXNEmELP2UN3/ubr031GuwyS8v3jeb+Ce TzsghPQFTpX5Zl66FqZtlCDQ4N394OiF65oakhTGuNpRSfuYaV4QVnekSOwd7ZI0gPUqQPszzeHG 9aJjyIlKkjOy9IW/tvU0YAtE79Ie7UZoV8AP7Q1FStT7fcIEvtfTfw26mQIDAQABo4IB0TCCAc0w DAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRl IGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwDgYDVR0PAQH/BAQD AgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoD AwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2Fj ZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJl dm9rZS5jcmwwgaQGA1UdEQSBnDCBmYEQamR2ZkBob3RtYWlsLmNvbYEQZm9vbm9uQGdtYWlsLmNv bYERZm9vbm9uQGljbG91ZC5jb22BIWpvaG4uZGV2aXRvZnJhbmNlc2NoaUBvdXRsb29rLmNvbYEf am9obi5kZXZpdG9mcmFuY2VzY2hpQGdtYWlsLmNvbYEcamRldml0b2ZyYW5jZXNjaGlAaWNsb3Vk LmNvbTANBgkqhkiG9w0BAQsFAAOCAgEABrWEAb/rVjLz9d+o9P1CC0qIDXvyu6x6wcmsBfLx5FXA XdblzLTtVrzyNhx9wGhd8LIP+rFPuSG+rbkvgkxLxEEAlnPSFiXqgXj+JDyHNuripIzJzTB2ebND Wy4bvLC9ox+MySok5JQ9tuEBxIzZftiFzXy6N4DQTY/DWKAnocMW78h71TXfr4PcRgCfVqXXw5KN cJldgK1jyOpB986FfXGsC1Q7HldwixPiGCTpMVjS8SwyO2OAoWzwMd4FYu2dWVaO6oqbUXQSIJev 361+BiNn93f6Lyvj3MtJznM3MdbJi+JyOuz8avCSZHi7ZxTH/E5EQ6QbxObrJJo9BkiLq3Rllo+L mSOR5jNl2PSPRn9KjhW0O1Q1hQx/9uoWRdnUGWjUbylGwX/cVpg4c7xFAVhKp7/nypCIt6EQm6Yo Zb7SEv5ht2gAMStvMj8ovxbkGfm6gUKMSGCyX26xtGtdyYWqTYwwQEU8IRT9AMyGS1SYrhX+0vqM kI7YXd108KaIP9GCj/V7vBtOjgV2/fY1hVndVrHJgvwH8U522q5T6h1VQYl0LiJ6pVZt7j4f1+BD 1MxTrdUWiHpSTpQBsT0SdI0XWiIqMmRSBuZx9FDnVQ44yFgEBYC8NU4GAwRWKo0bp2+wni+n3YIy jw7i9BY60gAaJ4stfR5Y4Z6Fj8zcM+cxggLNMIICyQIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBglghkgBZQMEAgEFAKCCAUMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMjEwOTE3MjExNDE1WjAvBgkqhkiG9w0BCQQxIgQg5nVJrzEmpsuE U3huOvXa1ZycLahCG7wOAXKWieGxevUwagYJKwYBBAGCNxAEMV0wWzBUMRQwEgYDVQQKEwtDQWNl cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQg Q2xhc3MgMyBSb290AgMC4EIwbAYLKoZIhvcNAQkQAgsxXaBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBgkqhkiG9w0BAQsFAASCAQAFw4Os65c/Xe57YYbgQFBPCtvFVhPtx1nu dFqw3SriObNE1f1aPkTuYnEGWCdrRGMJNI2WuYcTBmDWeKI822dGc6Z9+rk1aPwObLzM2aArJMF2 DNBDeZcgnCFYOPslmsz0LtsSqVfIy080LQ1sjD4SfU3HfyU+VIOC/deiOLO42XPXOeLXom5Yu/sS L6gIoPalhaqObPNmGQDIJqWX9eiS2XtcIf5Tun98DoYmrp9xSyeXdByU0CMJkN1okazMvn4o9uCK Ku+5ihD31IRmorLNzD4HvTQ9VNhY+K3+RJq+T0QlrWya/hUYUO98LlGkAJtuT/t1Q/zIU+PSIzx3 8PgOAAAAAAAA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu

On 9/17/21 5:14 PM, John Devitofranceschi wrote:

I can see that “AllowTGTSessionKey” is set to ‘1’ in the virtual registry. Is that not sufficient? Any way around this?

The current documentation of AllowTgtSessionKey says: "With active
Credential Guard in Windows 10 and later versions of Windows, you cannot
enable sharing the TGT session keys with applications anymore." That's
from: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys

There's more on Credential Guard at: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sep 18, 2021, at 12:50 AM, Greg Hudson <ghudson@MIT.EDU> wrote:

On 9/17/21 5:14 PM, John Devitofranceschi wrote:

I can see that “AllowTGTSessionKey” is set to ‘1’ in the virtual registry. Is that not sufficient? Any way around this?

The current documentation of AllowTgtSessionKey says: "With active
Credential Guard in Windows 10 and later versions of Windows, you cannot enable sharing the TGT session keys with applications anymore."

I’ve read that too, but Credential Guard is not running, according to the “System Information” panel on our test host.



MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDMkw ggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNV BAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAxNDA3MzY1NVoX DTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10 oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5 CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ 6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+ TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60 LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4 fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCy QQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOP MVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZC dB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBdBggrBgEFBQcB AQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsGAQUFBzAChhxo dHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGBkEowMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDANBgkqhkiG9w0B AQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8hV+5e0KRwpn9 G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7FgbmwueTuYVN l0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSzvBTi86QfHjL8 JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8/4uK9VEiqogw AOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO0BZh5eUKbL8X x3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc0usBbKAXpS0Q 65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+WTubJXpWYwBk uV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxGoY/0x3bjoVlX 93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu1pmCE0HSbqUb mSeA5wupqAAwgga5MIIEoaADAgECAgMC4EIwDQYJKoZIhvcNAQELBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0 IENsYXNzIDMgUm9vdDAeFw0yMDAyMjIxMzUyMzdaFw0yMjAyMjExMzUyMzdaMIIBEzEeMBwGA1UE AxMVSm9obiBEZXZpdG9mcmFuY2VzY2hpMR8wHQYJKoZIhvcNAQkBFhBqZHZmQGhvdG1haWwuY29t MR8wHQYJKoZIhvcNAQkBFhBmb29ub25AZ21haWwuY29tMSAwHgYJKoZIhvcNAQkBFhFmb29ub25A aWNsb3VkLmNvbTEwMC4GCSqGSIb3DQEJARYham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2su Y29tMS4wLAYJKoZIhvcNAQkBFh9qb2huLmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tMSswKQYJ KoZIhvcNAQkBFhxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAzpN0oN/ZobcHyH7SxKKZvySYr674JJxZeVxLjACL8QQxz+/rJFZha5L9 VtfmPLqBw3YYJLeP50O9HanH3DL9VI8wkLRM9/SaFVjgMLC5HxSyeOifecApsHN6B1fskScJMSjJ 9MvbVqm5MXraEmXEA/nhjcNkuSg9qBJdmHaEK7gqmUxTXNEmELP2UN3/ubr031GuwyS8v3jeb+Ce TzsghPQFTpX5Zl66FqZtlCDQ4N394OiF65oakhTGuNpRSfuYaV4QVnekSOwd7ZI0gPUqQPszzeHG 9aJjyIlKkjOy9IW/tvU0YAtE79Ie7UZoV8AP7Q1FStT7fcIEvtfTfw26mQIDAQABo4IB0TCCAc0w DAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRl IGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwDgYDVR0PAQH/BAQD AgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoD AwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2Fj ZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJl dm9rZS5jcmwwgaQGA1UdEQSBnDCBmYEQamR2ZkBob3RtYWlsLmNvbYEQZm9vbm9uQGdtYWlsLmNv bYERZm9vbm9uQGljbG91ZC5jb22BIWpvaG4uZGV2aXRvZnJhbmNlc2NoaUBvdXRsb29rLmNvbYEf am9obi5kZXZpdG9mcmFuY2VzY2hpQGdtYWlsLmNvbYEcamRldml0b2ZyYW5jZXNjaGlAaWNsb3Vk LmNvbTANBgkqhkiG9w0BAQsFAAOCAgEABrWEAb/rVjLz9d+o9P1CC0qIDXvyu6x6wcmsBfLx5FXA XdblzLTtVrzyNhx9wGhd8LIP+rFPuSG+rbkvgkxLxEEAlnPSFiXqgXj+JDyHNuripIzJzTB2ebND Wy4bvLC9ox+MySok5JQ9tuEBxIzZftiFzXy6N4DQTY/DWKAnocMW78h71TXfr4PcRgCfVqXXw5KN cJldgK1jyOpB986FfXGsC1Q7HldwixPiGCTpMVjS8SwyO2OAoWzwMd4FYu2dWVaO6oqbUXQSIJev 361+BiNn93f6Lyvj3MtJznM3MdbJi+JyOuz8avCSZHi7ZxTH/E5EQ6QbxObrJJo9BkiLq3Rllo+L mSOR5jNl2PSPRn9KjhW0O1Q1hQx/9uoWRdnUGWjUbylGwX/cVpg4c7xFAVhKp7/nypCIt6EQm6Yo Zb7SEv5ht2gAMStvMj8ovxbkGfm6gUKMSGCyX26xtGtdyYWqTYwwQEU8IRT9AMyGS1SYrhX+0vqM kI7YXd108KaIP9GCj/V7vBtOjgV2/fY1hVndVrHJgvwH8U522q5T6h1VQYl0LiJ6pVZt7j4f1+BD 1MxTrdUWiHpSTpQBsT0SdI0XWiIqMmRSBuZx9FDnVQ44yFgEBYC8NU4GAwRWKo0bp2+wni+n3YIy jw7i9BY60gAaJ4stfR5Y4Z6Fj8zcM+cxggLNMIICyQIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBglghkgBZQMEAgEFAKCCAUMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMjEwOTE4MTIyMTU2WjAvBgkqhkiG9w0BCQQxIgQg4DrA1B4Vs66k RIsbVC5LtSxfq6SWhKJJ0pfrTl0ECNowagYJKwYBBAGCNxAEMV0wWzBUMRQwEgYDVQQKEwtDQWNl cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQg Q2xhc3MgMyBSb290AgMC4EIwbAYLKoZIhvcNAQkQAgsxXaBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBgkqhkiG9w0BAQsFAASCAQBAFpLovjsqQyN4qkbsCyIaggLo3oP2b/s4 VE+IyjpfLKciJ2K5U8qBLVWthryyVOCar1Y7jlMyjHVSY9tpzpqQ7Ml+x9hUREZbfPnqpgo7qLUn dI8bzpktfe6jVnibZ9nV8aiKbhdKmgCXhc2yWKIO0pnN/i2INrioCekJBCoiu/FHNQHpCu9McclG P3qD3w3k0DtgN7YZVm3whdiq+CBiXuLEvRzoz+lLhsZUKAhw7H0J8GlgAHaNF3OB1uGeTgOuuwg1 JGY18LFpxByAV5n+uFFJOL+xMrlrictT2m/M/h9kbERbIixI2OCa9iC2n89NyB4wmjhQ06p7B0tt rdAAAAAAAAAA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sep 18, 2021, at 8:21 AM, John Devitofranceschi <foonon@gmail.com> wrote:

On Sep 18, 2021, at 12:50 AM, Greg Hudson <ghudson@MIT.EDU> wrote:

On 9/17/21 5:14 PM, John Devitofranceschi wrote:

I can see that “AllowTGTSessionKey” is set to ‘1’ in the virtual registry. Is that not sufficient? Any way around this?

The current documentation of AllowTgtSessionKey says: "With active
Credential Guard in Windows 10 and later versions of Windows, you cannot
enable sharing the TGT session keys with applications anymore."

I’ve read that too, but Credential Guard is not running, according to the “System Information” panel on our test host.

It turns out that it works just fine if you set allowtgtsessionkey in the system registry. It is not sufficient to simply set it in the virtual registry.


jd
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDMkw ggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNV BAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA1MTAxNDA3MzY1NVoX DTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93 d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10 oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5 CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ 6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+ TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60 LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4 fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCy QQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOP MVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZC dB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYDVR0TAQH/BAUwAwEB/zBdBggrBgEFBQcB AQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCgGCCsGAQUFBzAChhxo dHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1UdIARDMEEwPwYIKwYBBAGBkEowMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDANBgkqhkiG9w0B AQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsgMLFF3sJd02Vp8cJdVFQ8hV+5e0KRwpn9 G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5WWtF6QXj3QNpKOvELW6W7FgbmwueTuYVN l0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkcRXkWlk0nbfEcbMPCVWSzvBTi86QfHjL8 JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/EmcgHvbW9otsuYg1CNEG8/4uK9VEiqogw AOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQrkVCHG9Ze1ozM9w8QDFJO0BZh5eUKbL8X x3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSuAK+h5eeSbk698+LZFItc0usBbKAXpS0Q 65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3arPzPDztgLymOEopJF/+WTubJXpWYwBk uV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJMEo6819g5qj09KYKeFBWxGoY/0x3bjoVlX 93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBfpPQr8IVxQdRnJfsasZeu1pmCE0HSbqUb mSeA5wupqAAwgga5MIIEoaADAgECAgMC4EIwDQYJKoZIhvcNAQELBQAwVDEUMBIGA1UEChMLQ0Fj ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0 IENsYXNzIDMgUm9vdDAeFw0yMDAyMjIxMzUyMzdaFw0yMjAyMjExMzUyMzdaMIIBEzEeMBwGA1UE AxMVSm9obiBEZXZpdG9mcmFuY2VzY2hpMR8wHQYJKoZIhvcNAQkBFhBqZHZmQGhvdG1haWwuY29t MR8wHQYJKoZIhvcNAQkBFhBmb29ub25AZ21haWwuY29tMSAwHgYJKoZIhvcNAQkBFhFmb29ub25A aWNsb3VkLmNvbTEwMC4GCSqGSIb3DQEJARYham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2su Y29tMS4wLAYJKoZIhvcNAQkBFh9qb2huLmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tMSswKQYJ KoZIhvcNAQkBFhxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAzpN0oN/ZobcHyH7SxKKZvySYr674JJxZeVxLjACL8QQxz+/rJFZha5L9 VtfmPLqBw3YYJLeP50O9HanH3DL9VI8wkLRM9/SaFVjgMLC5HxSyeOifecApsHN6B1fskScJMSjJ 9MvbVqm5MXraEmXEA/nhjcNkuSg9qBJdmHaEK7gqmUxTXNEmELP2UN3/ubr031GuwyS8v3jeb+Ce TzsghPQFTpX5Zl66FqZtlCDQ4N394OiF65oakhTGuNpRSfuYaV4QVnekSOwd7ZI0gPUqQPszzeHG 9aJjyIlKkjOy9IW/tvU0YAtE79Ie7UZoV8AP7Q1FStT7fcIEvtfTfw26mQIDAQABo4IB0TCCAc0w DAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRl IGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwDgYDVR0PAQH/BAQD AgOoMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoD AwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2Fj ZXJ0Lm9yZzA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJl dm9rZS5jcmwwgaQGA1UdEQSBnDCBmYEQamR2ZkBob3RtYWlsLmNvbYEQZm9vbm9uQGdtYWlsLmNv bYERZm9vbm9uQGljbG91ZC5jb22BIWpvaG4uZGV2aXRvZnJhbmNlc2NoaUBvdXRsb29rLmNvbYEf am9obi5kZXZpdG9mcmFuY2VzY2hpQGdtYWlsLmNvbYEcamRldml0b2ZyYW5jZXNjaGlAaWNsb3Vk LmNvbTANBgkqhkiG9w0BAQsFAAOCAgEABrWEAb/rVjLz9d+o9P1CC0qIDXvyu6x6wcmsBfLx5FXA XdblzLTtVrzyNhx9wGhd8LIP+rFPuSG+rbkvgkxLxEEAlnPSFiXqgXj+JDyHNuripIzJzTB2ebND Wy4bvLC9ox+MySok5JQ9tuEBxIzZftiFzXy6N4DQTY/DWKAnocMW78h71TXfr4PcRgCfVqXXw5KN cJldgK1jyOpB986FfXGsC1Q7HldwixPiGCTpMVjS8SwyO2OAoWzwMd4FYu2dWVaO6oqbUXQSIJev 361+BiNn93f6Lyvj3MtJznM3MdbJi+JyOuz8avCSZHi7ZxTH/E5EQ6QbxObrJJo9BkiLq3Rllo+L mSOR5jNl2PSPRn9KjhW0O1Q1hQx/9uoWRdnUGWjUbylGwX/cVpg4c7xFAVhKp7/nypCIt6EQm6Yo Zb7SEv5ht2gAMStvMj8ovxbkGfm6gUKMSGCyX26xtGtdyYWqTYwwQEU8IRT9AMyGS1SYrhX+0vqM kI7YXd108KaIP9GCj/V7vBtOjgV2/fY1hVndVrHJgvwH8U522q5T6h1VQYl0LiJ6pVZt7j4f1+BD 1MxTrdUWiHpSTpQBsT0SdI0XWiIqMmRSBuZx9FDnVQ44yFgEBYC8NU4GAwRWKo0bp2+wni+n3YIy jw7i9BY60gAaJ4stfR5Y4Z6Fj8zcM+cxggLNMIICyQIBATBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBglghkgBZQMEAgEFAKCCAUMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH ATAcBgkqhkiG9w0BCQUxDxcNMjEwOTIyMTc0MDQyWjAvBgkqhkiG9w0BCQQxIgQg76W9EEhg570S kBOuP7BoA37z7a+xepmwndWjVRI7ek8wagYJKwYBBAGCNxAEMV0wWzBUMRQwEgYDVQQKEwtDQWNl cnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQg Q2xhc3MgMyBSb290AgMC4EIwbAYLKoZIhvcNAQkQAgsxXaBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwLgQjANBgkqhkiG9w0BAQsFAASCAQCCUVGDsuZ/mTQMcuxBtkmz9jZwH5KJwgVW eG+kZilJLOIHQ45oeqF+JGNG2tQhzuwJhamo4CKP2oOWKa9J/wdTjhSg9MWrOigigd721VzT7LsV v3rgklvczGJR+oY5cl8EP0n3flhsRHBDw3qrDARL2jW7x2T2VtoKqyJs2fhHlAEC4fHZL/j12Y+z Gpl4JbUHxnFluggL2omgACF8I0sa2ZPFLzMPCDQoXu9/RzuifP4mB6QpKtggFvxXeEqm83P1Fz02 GxmB7fAVjBLMIejSZLFjZBP5A3LMMaBev4jLeyJ7JvBA8g80Rnq5m6VfW6xxeP+9tTCAH4h0gPyG pBtdAAAAAAAA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)