[krbdev.mit.edu #5469] SVN Commit

Jeffrey Altman via RT rt-comment at krbdev.mit.edu
Tue Mar 13 02:35:22 EDT 2007 

        On Windows Vista the GINA architecture was removed.  As a side
        effect the support for the Logon Event Handlers was also removed.
        The KFW Integrated Logon functionality relies on the "Logon"
        event handler to migrate the user's tickets from a secure FILE:
        ccache to an API: ccache so that the tickets will be available
        to NetIDMgr and all other Kerberos applications.

        This functionality is especially important on Vista for
        accounts that are members of the Administrators group because
        the User Account Control (UAC) restricts access to the session
        keys of all tickets in the MSLSA ccache.  The only way for
        tickets to be made available to MIT Kerberos applications is
        by obtaining them within the Network Provider and pushing them
        into the Logon Session.

        This patch replaces the missing Logon Event Handler support
        with a new exported function "LogonEventHandler" which adheres
        to the rundll32.exe specifications.  The "LogonEventHandler"
        function accepts as input the name of a FILE ccache and moves
        the contents into an API: ccache and then deletes the FILE
        ccache.

        In order for this to work the FILE ccache must be owned by
        the account that was used to logon to the current session.
        The NPLogonNotify() function must therefore lookup the SID
        for the active account, assign an appropriate DACL to the
        ccache file, and change the owner.  In addition, when Vista
        is in use a LogonScript must be constructed that will perform
        the call to rundll32.exe.

        Other changes include altering the prototype of
        KFW_copy_ccache_system_file to accept a filename instead of
        the LogonID.  This improves the abstraction and allows the
        filename to be computed once and passed into multiple
        functions from NPLogonNotify().

        Many debugging calls were added to assist with implementation.
        #define DEBUG 1 at the top of kfwcommon.c when you wish to
        build with debugging that generates entries in the Windows
        Application Event Viewer.

	It is important to note that Integrated Logon attempts to
	logon the username within the default realm within the
	krb5.ini file using the provided password.  This is so
	a local machine account name matching the default realm
	can obtain Kerberos tickets by synchronizing the password.



Commit By: jaltman



Revision: 19221
Changed Files:
U   trunk/src/windows/kfwlogon/kfwcommon.c
U   trunk/src/windows/kfwlogon/kfwlogon.c
U   trunk/src/windows/kfwlogon/kfwlogon.def
U   trunk/src/windows/kfwlogon/kfwlogon.h

More information about the krb5-bugs mailing list