Vista / UAC

[Tim Alsop]

Jeffrey,

I am NOT referring to the TGT session key. I am using AllowTGTSessionKey
in registry and it is working as designed for the TGT session key.
However, when I use LSP functions to get the session key from a service
ticket this is not possible with UAC enabled, and there is no known
registry key to allow my code to read this key. I can read the key when
UAC is disabled, or when using an administrator account.

Thanks, Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: 01 March 2007 02:29
To: Tim Alsop
Cc: krbdev at mit.edu
Subject: Re: Vista / UAC

Tim Alsop wrote:
> Hello,
>  
> I am intersted in how far you have got with developing support for MS
> WIndows cache on Vista. We find our code works well, but only if UAC
is
> turned off. This is because when UAC is enabled the session key in a
> service ticket is returned as all zero's instead of a valid session
key.
> The result is that a server application that is accepting a security
> context fails to accept the context using the key from a key table
file
> on server. I plan to raise a support call with MS, but wanted to check
> first if you had already talked to MS and found a solution to this
> problem ?
>  
> Regards,
> Tim

Tim:

This is working as designed.

When the user is a normal user and the AllowTGTSessionKey value is
non-zero, the session key may be extracted.

When the user is an administrator and UAC is active, the session key can
only be extracted if the AllowTGTSessionKey value is non-zero and the
process is running with elevated privileges.

Jeffrey Altman
Secure Endpoints Inc.