Kerberos delegation on Windows Vista LSA

Tim Alsop Tim.Alsop at CyberSafe.Com
Mon Jan 28 08:59:40 EST 2008


Speedo,

This is due to a bug in Vista that will be fixed in SP1. There is a
hotfix available for pre-SP1. If you turn off UAC or use an account
which is not an administrator you don't need any fix.

The hotfix is described at http://support.microsoft.com/kb/942219/en-us

Thanks,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Speedo
Sent: 28 January 2008 13:32
To: kerberos at mit.edu
Subject: Kerberos delegation on Windows Vista LSA

Hi Guys

I have a program doing Kerberos on Windows. The program generates all
Kerberos packets itself but will sometimes retrieve tickets from the
LSA cache so that user needn't type in the windows password. Before
WIndows Vista, if I have to go delegation, I need a forwardable TGT to
put into a KRB_CRED message. In order to get the session key, I have
to setup the Windows registry key allowtgtsessionkey=1. Now in Vista,
even if the key is set, a domain user who is in the local admin group
still cannot get a valid session key. The only workaround now is to
create my own kinit and issue the AS_REQ, which means the user has to
input his password, and the user is not happy.

I suppose Vista is doing this for security reason so that un-
privileged guys cannot use this "hole" to get back full admin right.
Is that right? Do this mean I can never 1) generating Kerberos packets
myself and 2) using LSA cache at the same time?

Thanks in advance
Speedo
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list