This article contains information about how to modify the
RequireAsChecksum registry entry. This registry entry helps provide additional protection after you
install Microsoft security update 899587. This security update is documented in Security Bulletin MS05-042.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
MS05-042: Vulnerabilities in Kerberos could allow denial of service, information disclosure, and spoofing
Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These problems
might require that you reinstall your operating system. Microsoft cannot
guarantee that these problems can be solved. Modify the registry at your own
Security update 899587 contains some
security-related changes to functionality. Security Bulletin MS05-042 addresses the externally
reported security vulnerabilities. However, in addition to the changes that are
listed in each "Vulnerability Details" section of Security Bulletin MS05-042, security update 899587 includes another change in
functionality. An optional, but recommended,
registry entry (RequireAsChecksum) has been added to help provide additional
protection for potential future PKINIT-related vulnerabilities. The
RequireAsChecksum registry entry is located under the following registry subkeys:
Possible values for the
RequireAsChecksum registry entry are as follows:
- RequireAsChecksum = 1 or any other non-zero value
this setting is turned on, the client accepts only replies that are compliant
with the latest PKINIT revision (PKINIT-27) from the domain controller for
smart card logon.
- RequireAsChecksum = 0
When this setting is turned off, the
client accepts replies that are compliant with the new revision or with older
When the registry entry is not present, the computer acts as if the setting is disabled.
The smart card logon fails when all the following
conditions are true:
- The logon attempt is initiated by the client.
- Security update 899587 is installed on the client.
- The value of the RequireAsChecksum registry entry is set to
1 on the client.
- The domain controller that replies to the authentication
request does not have security update 899587 installed.
We recommend that you turn on the registry
setting on client computers only after security update 899587 has been
deployed to all domain controllers in the domain.Note
You must restart a Windows 2000-based computer after you modify this registry entry. However, a restart is not required for computers that are running Windows XP or Windows Server