KfW 3.2 beta1, OpenAFS 1.5.18 integrated logon for Windows Server 2003 Terminalserver users

Jeffrey Altman jaltman at secure-endpoints.com
Wed Oct 3 01:08:23 EDT 2007

Volkmar Glauche wrote:
> Dear List,
> I am having trouble getting the above configuration to perform integrated 
> logon on a Windows 2003 Terminal server. The exact configuration is:
> - Samba 3.0.24 acting as Primary/Backup Domain Controller
> - Windows 2003 server as domain member
> - heimdal KDC with LDAP database backend
> Whenever a user tries to login to a terminal server session, I get an 
> error message "Credential cache I/O failed: XXX". After being logged in, 
> obtaining tickets and AFS token works fine. However, integrated login 
> works for the same user if she is logging in to the server console 
> session, so I think there must be a permissions problem somewhere. I have 
> tried to ask this also on the OpenAFS side, this is what Jeff Altman said:
> http://rt.central.org/rt/Ticket/Display.html?id=59277
> I would greatly appreciate any hint on how to debug and fix this problem.
> Yours,
This is a bug in the CCAPI server affecting its use on Windows Terminal
when krbcc32.dll is loaded by the child process of winlogon.exe.  The
problem is actually quite interesting.  For each logon session a new
winlogon.exe is spawned with unique session id.  The LUID within the
authentication token represented in the token's authenticationId field
is supposed to be unique per logon session.  However, although the
session ids are unique, the authentication token for SYSTEM used to
create each winlogon.exe process is not.

The CCAPI was generating RPC endpoint names based upon the
authenticationId LUID which was thought to be unique.  It wasn't.  The
fix is to explicitly obtain the sessionId and include it in the
generation of the unique RPC endpoint name.  Once this is done, a new
krbcc32s.exe instance will be started for each winlogon.exe instance.

Hopefully, this will be fixed in KFW 3.2.2

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20071003/d1d40219/attachment.bin

More information about the Kerberos mailing list