Vista / UAC
Todd Stecher
todd.stecher at isilon.com
Wed Feb 28 18:04:11 EST 2007
On Feb 28, 2007, at 10:09 AM, Tim Alsop wrote:
> Hello,
>
> I am intersted in how far you have got with developing support for MS
> WIndows cache on Vista. We find our code works well, but only if
> UAC is
> turned off. This is because when UAC is enabled the session key in a
> service ticket is returned as all zero's instead of a valid session
> key.
> The result is that a server application that is accepting a security
> context fails to accept the context using the key from a key table
> file
> on server. I plan to raise a support call with MS, but wanted to check
> first if you had already talked to MS and found a solution to this
> problem ?
I'm pretty sure this is in XPSP2 as well - this is controllable via
the registry (can't recall the value off the top of my head, but it
may be on www.microsoft.com/kerberos).
This support was added to keep rogue applications from stealing the
session key outside of the context of the LSA. I left MS too early
to know if UAC affects this registry key and the
LsaApCallAuthenticationPackage() level, but I doubt it does - it is
likely only gated by the "mystery" registry key noted above. I'll
see if I can dig up the details - I'm pretty certain Jeff Altman
knows the value as KFW likely sets it.
Later,
Todd
Todd Stecher | Windows Interop Dev
Isilon Systems P +1-206-315-7500 F +1-206-315-7501
www.isilon.com D +1-206-315-7638 M +1-425-205-1180
More information about the krbdev
mailing list