New cred cache breaks Win2k service

Danilo Almeida dalmeida at MIT.EDU
Wed Feb 20 14:04:26 EST 2002


This is by design.  As I recall, the original problem was this:

A process doing impersonation cannot start a program as the user being
impersonated because the process level tokens are the service's and not
the user's.

Therefore, the service cannot start the creds cache process.  So, if the
user does not already have the creds cache process, the service not be
able to access the cache.  Granted, there are no creds in the cache, but
what if the service is trying to stuff some creds in there?

In order to avoid any such weirdness as to under what impersonation
circumstances the creds cache may or may not work, I chose to circumvent
the whole issue by disallowing access to the user's cache when doing
impersonation.

I can revisit this if someone puts forth a good proposal for how things
should work.

However, in the meantime, services doing impersonation need to
communicate creds via some other mechanism that is appropriate for the
service in question (e.g. LRPC).

For more information, look at the release notes in the KfW 2.1.2 source
distribution.

- Danilo


-----Original Message-----
From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU] On Behalf
Of Mike Frisch
Sent: Wednesday, February 20, 2002 9:37 AM
To: kerberos at mit.edu
Subject: New cred cache breaks Win2k service

With the recent changes to the Kerberos Credentials Cache, my service on
Windows 2000 is now broken.  Without being able to use impersonation,
how do I allow a Windows 2000 service to perform Kerberos/GSS operations
on behalf of other users?

Thanks in advance,

Mike.





More information about the Kerberos mailing list