[krbdev.mit.edu #5871] KFW: CCAPI: Vista UAC incompatibility

[Jeffrey Altman via RT]

The KFW CCAPI RPC implementation is incompatible with Vista User Account
Control.  The initial ccache server is started using the credentials of
the logon account.  An account that is a member of the Administrators
Group when UAC is active will start off with restricted access.  Tickets
acquired by KFW in this state will be stored in a ccache server that is
running with restricted privileges.

When the user elevates a process it will no longer be able to
communicate with the ccache server.  This results in the following
negative user experience.  The user elevates a process that requires
Kerberos credentials.  The krb5 library cannot find any valid credential
cache and prompts the user to obtain a TGT.  The user obtains the TGT
and is then prompted again because the application seeking the
credentials still cannot read them.  User looks a credential manager,
sees valid tickets, and gets frustrated.