Kerberos delegation on Windows Vista LSA

Speedo speedogoo at gmail.com
Mon Jan 28 08:32:18 EST 2008


Hi Guys

I have a program doing Kerberos on Windows. The program generates all
Kerberos packets itself but will sometimes retrieve tickets from the
LSA cache so that user needn't type in the windows password. Before
WIndows Vista, if I have to go delegation, I need a forwardable TGT to
put into a KRB_CRED message. In order to get the session key, I have
to setup the Windows registry key allowtgtsessionkey=1. Now in Vista,
even if the key is set, a domain user who is in the local admin group
still cannot get a valid session key. The only workaround now is to
create my own kinit and issue the AS_REQ, which means the user has to
input his password, and the user is not happy.

I suppose Vista is doing this for security reason so that un-
privileged guys cannot use this "hole" to get back full admin right.
Is that right? Do this mean I can never 1) generating Kerberos packets
myself and 2) using LSA cache at the same time?

Thanks in advance
Speedo



More information about the Kerberos mailing list