[krbdev.mit.edu #5871] KFW: CCAPI: Vista UAC incompatibility

[Kevin Koch via RT]

In preparation for testing this on Vista, I wrote out a test scenario 
and tried it on XP.  Is this behavior acceptable???  

Does the fact that additional krbcc32s servers are created mean that 
the elevated process's logon session is different from the user's logon 
session?

Elevated privilege test scenario
----------------------------------------------------------------
0) Setup:

Two accounts:  password-protected Administrator 'admin' and restricted 
user 'kpkoch.'

Ensure NIM, SecureCRT icons on desktop.

Configure SecureCRT:
Global settings:  SSH2 / Use personal store certificate.
Athena session :  user kpkoch, only GSSAPI and Kerberos.


----------------------------------------------------------------
1) Restricted user test:

(Re)boot.  No logon sessions.

Logon as 'kpkoch.'  MIT KfW 3.2.2 autoprompts for credentials.  Enter 
password, get creds.

Start Task Manager; verify one krbcc32s, user should be kpkoch.

Run SecureCRT, connect to Athena.  Should work without any additional 
prompting.
One krbcc32s.
Exit SecureCRT.


----------------------------------------------------------------
2) Elevated user test 1:

Right click SecureCRT icon, Run As ... 'admin,' connect to Athena.
2nd krbcc32s, owned by Admin.
Connection to session athena.dialup.mit.edu failed:  Key exchange 
failed.  No compatible key exchange method.


----------------------------------------------------------------
3) Elevated user test 2:

Kill NIM.

Right click NIM icon, select Run As ..., enter username 'admin.'  
Asked for password for kpkoch, 3rd krbcc32s, owned by Admin.
Enter kpkoch password, get creds.
<ESC> to iconize to tray.
NIM now owned by Admin.

Right click SecureCRT icon, Run As ... 'admin,' connect to Athena.
Obtain new credentials Password prompt for kpkoch.
Delay.
Connection to session athena.dialup.mit.edu failed:  Key exchange 
failed.  No compatible key exchange method.