Vista / UAC

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Mar 1 02:27:55 EST 2007


I am NOT referring to the TGT session key. I am using AllowTGTSessionKey
in registry and it is working as designed for the TGT session key.
However, when I use LSP functions to get the session key from a service
ticket this is not possible with UAC enabled, and there is no known
registry key to allow my code to read this key. I can read the key when
UAC is disabled, or when using an administrator account.

Thanks, Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at] 
Sent: 01 March 2007 02:29
To: Tim Alsop
Cc: krbdev at
Subject: Re: Vista / UAC

Tim Alsop wrote:
> Hello,
> I am intersted in how far you have got with developing support for MS
> WIndows cache on Vista. We find our code works well, but only if UAC
> turned off. This is because when UAC is enabled the session key in a
> service ticket is returned as all zero's instead of a valid session
> The result is that a server application that is accepting a security
> context fails to accept the context using the key from a key table
> on server. I plan to raise a support call with MS, but wanted to check
> first if you had already talked to MS and found a solution to this
> problem ?
> Regards,
> Tim


This is working as designed.

When the user is a normal user and the AllowTGTSessionKey value is
non-zero, the session key may be extracted.

When the user is an administrator and UAC is active, the session key can
only be extracted if the AllowTGTSessionKey value is non-zero and the
process is running with elevated privileges.

Jeffrey Altman
Secure Endpoints Inc.

More information about the krbdev mailing list