On 9/17/19 8:31 AM, John Devitofranceschi wrote: > What are the risks of using ms2mit to create an API: ccache? What are the > risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?
My best understanding is that, for a user account with administrator privileges, a process with access to a TGT can escalate privilege without a UAC prompt. This risk would apply regardless of whether the TGT is obtained from the native LSA ccache or if it was stored in an API or FILE ccache. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
