[krbdev.mit.edu #5477] SVN Commit

[Tom Yu via RT]

pull up r19237 from trunk

 r19237 at cathode-dark-space:  jaltman | 2007-03-20 03:13:18 -0400
 ticket: new
 subject: Enable Vista support for MSLSA
 tags: pullup
 
 The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to write tickets to the LSA credential cache for the current logon session.   This is possible due to the addition of the KERB_SUBMIT_TICKET interface.  
 
 Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient method of enumerating the contents of the LSA credential cache.
 
 The code to take advantage of these features has been present for more than a year.  However, due to the lack of a public SDK that included the necessary data structures the functionality has been disabled.  As of this commit, the functionality will be enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS.  This is a preprocessor symbol that is new to the Vista SDK.  
 
 In order to build with the new Vista functionality when using the XP SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP SP2 SDK.
 
 This commit also addresses the issues associated with the inability to read session keys from a UAC limited process.   When UAC limitation is detected by examining the process token elevation level all access to the MSLSA contents is disabled.   At some point in the future we can implement an elevated COM service in order to obtain access to the session keys.


Commit By: tlyu



Revision: 19337
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c