[krbdev.mit.edu #5913] KfW CCAPI: Logon Session as cache index: poor elevated-user experience
Jeffrey Altman via RT
rt at krbdev.mit.edu
Thu Mar 13 23:40:43 EDT 2008
[kpkoch - Thu Mar 13 20:22:30 2008]:
> I tried this test scenario on XP. When a user starts a process with
> elevated privilege, the process gets a different LSID from the
> spawning
> logon session. The spawned, elevated process can't access the
> original
> process's ccache, because the name of the ccache is based on the LSID.
Run As Administrator on XP/2003 is not the same as Vista/2008's run with
elevated privileges. Run as Administrator means login as the
Administrator account which is a new logon session and is intended to be
a new logon session.
Credentials should not be shared between the two accounts.
The same is true if you use a non-Administrator account on Vista and
choose Run as Administrator. In that case, you are using a new logon ID
and the logon sessions should be separate. There is no bug here. This
is the desired behavior.
More information about the kfwdev
mailing list