Vista / UAC

Tim Alsop Tim.Alsop at CyberSafe.Com
Thu Mar 1 03:32:50 EST 2007


I also wanted to mention, that on Vista, when we set AllowTGTSessionKey
we don't get same results as on XP. On XP SP2 if this is not set or set
to 0 then the etype is shown as 0 in credentials cache, but on Vista the
etype is shown as 23 as it would be expected regardless of the
AllowTGTSessionKey presence/value. It is possible that
AllowTGTSessionKey is not working on Vista. Anyway, this is not the
issue I am asking for help on - I am only concerned with the session key
in service tickets.

I asked krbdev because I thought that kfw product was being enhanced to
support MS LSA cache and run on Vista. Our product has supported LSA
cache on XP, and XP x64 for a long time, and when we recently tested on
Vista we found these differences. I just wondered if MIT dev team had
also seen the same issues.


-----Original Message-----
From: krbdev-bounces at [mailto:krbdev-bounces at] On Behalf
Of Tim Alsop
Sent: 01 March 2007 07:28
To: jaltman at
Cc: krbdev at
Subject: RE: Vista / UAC


I am NOT referring to the TGT session key. I am using AllowTGTSessionKey
in registry and it is working as designed for the TGT session key.
However, when I use LSP functions to get the session key from a service
ticket this is not possible with UAC enabled, and there is no known
registry key to allow my code to read this key. I can read the key when
UAC is disabled, or when using an administrator account.

Thanks, Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at] 
Sent: 01 March 2007 02:29
To: Tim Alsop
Cc: krbdev at
Subject: Re: Vista / UAC

Tim Alsop wrote:
> Hello,
> I am intersted in how far you have got with developing support for MS
> WIndows cache on Vista. We find our code works well, but only if UAC
> turned off. This is because when UAC is enabled the session key in a
> service ticket is returned as all zero's instead of a valid session
> The result is that a server application that is accepting a security
> context fails to accept the context using the key from a key table
> on server. I plan to raise a support call with MS, but wanted to check
> first if you had already talked to MS and found a solution to this
> problem ?
> Regards,
> Tim


This is working as designed.

When the user is a normal user and the AllowTGTSessionKey value is
non-zero, the session key may be extracted.

When the user is an administrator and UAC is active, the session key can
only be extracted if the AllowTGTSessionKey value is non-zero and the
process is running with elevated privileges.

Jeffrey Altman
Secure Endpoints Inc.

krbdev mailing list             krbdev at

More information about the krbdev mailing list