Vista / UAC

Jeffrey Altman jaltman at secure-endpoints.com
Thu Mar 1 08:33:51 EST 2007 

Tim:

Do you have these problems with a non-Administrator account?

Do you have these problems with an Administrator account that is running
with elevated privileges?

Under Vista an Administrator account cannot read session keys if UAC is
active and the process is not running with elevated privileges.

This behavior is different from previous Windows releases but it is how
Microsoft designed it.

Jeffrey Altman


Tim Alsop wrote:
> Jeffrey,
>
> I also wanted to mention, that on Vista, when we set AllowTGTSessionKey
> we don't get same results as on XP. On XP SP2 if this is not set or set
> to 0 then the etype is shown as 0 in credentials cache, but on Vista the
> etype is shown as 23 as it would be expected regardless of the
> AllowTGTSessionKey presence/value. It is possible that
> AllowTGTSessionKey is not working on Vista. Anyway, this is not the
> issue I am asking for help on - I am only concerned with the session key
> in service tickets.
>
> I asked krbdev because I thought that kfw product was being enhanced to
> support MS LSA cache and run on Vista. Our product has supported LSA
> cache on XP, and XP x64 for a long time, and when we recently tested on
> Vista we found these differences. I just wondered if MIT dev team had
> also seen the same issues.
>
> Thanks,
> Tim
>
> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
> Of Tim Alsop
> Sent: 01 March 2007 07:28
> To: jaltman at secure-endpoints.com
> Cc: krbdev at mit.edu
> Subject: RE: Vista / UAC
>
> Jeffrey,
>
> I am NOT referring to the TGT session key. I am using AllowTGTSessionKey
> in registry and it is working as designed for the TGT session key.
> However, when I use LSP functions to get the session key from a service
> ticket this is not possible with UAC enabled, and there is no known
> registry key to allow my code to read this key. I can read the key when
> UAC is disabled, or when using an administrator account.
>
> Thanks, Tim 
>
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
> Sent: 01 March 2007 02:29
> To: Tim Alsop
> Cc: krbdev at mit.edu
> Subject: Re: Vista / UAC
>
> Tim Alsop wrote:
>> Hello,
>>  
>> I am intersted in how far you have got with developing support for MS
>> WIndows cache on Vista. We find our code works well, but only if UAC
> is
>> turned off. This is because when UAC is enabled the session key in a
>> service ticket is returned as all zero's instead of a valid session
> key.
>> The result is that a server application that is accepting a security
>> context fails to accept the context using the key from a key table
> file
>> on server. I plan to raise a support call with MS, but wanted to check
>> first if you had already talked to MS and found a solution to this
>> problem ?
>>  
>> Regards,
>> Tim
>
> Tim:
>
> This is working as designed.
>
> When the user is a normal user and the AllowTGTSessionKey value is
> non-zero, the session key may be extracted.
>
> When the user is an administrator and UAC is active, the session key can
> only be extracted if the AllowTGTSessionKey value is non-zero and the
> process is running with elevated privileges.
>
> Jeffrey Altman
> Secure Endpoints Inc.
>
>
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070301/b60a7256/attachment.bin

More information about the krbdev mailing list