Vista / UAC

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Feb 28 18:13:14 EST 2007

I think you are referring to the AllowTGTSessioKey registry setting,
which we have set on Vista. The problem we are having is not related to
TGT session key, it is the session key of a service ticket already in
cache which we need to prepare the AP-REP when setting up a security
context over gss-api.
kfw sets AllowTGTSessionKey and so does our product on XP and this is
ok, but the problem I refer to is specific to Vista and UAC being


From: Todd Stecher [mailto:todd.stecher at] 
Sent: 28 February 2007 23:04
To: Tim Alsop
Cc: krbdev at
Subject: Re: Vista / UAC

On Feb 28, 2007, at 10:09 AM, Tim Alsop wrote:


	I am intersted in how far you have got with developing support
for MS
	WIndows cache on Vista. We find our code works well, but only if
UAC is
	turned off. This is because when UAC is enabled the session key
in a
	service ticket is returned as all zero's instead of a valid
session key.
	The result is that a server application that is accepting a
	context fails to accept the context using the key from a key
table file
	on server. I plan to raise a support call with MS, but wanted to
	first if you had already talked to MS and found a solution to
	problem ?

I'm pretty sure this is in XPSP2 as well - this is controllable via the
registry (can't recall the value off the top of my head, but it may be

This support was added to keep rogue applications from stealing the
session key outside of the context of the LSA.  I left MS too early to
know if UAC affects this registry key and the
LsaApCallAuthenticationPackage() level, but I doubt it does - it is
likely only gated by the "mystery" registry key noted above.    I'll see
if I can dig up the details - I'm pretty certain Jeff Altman knows the
value as KFW likely sets it.


Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501    D +1-206-315-7638    M +1-425-205-1180

More information about the krbdev mailing list