Vista / UAC

[Tim Alsop]

Jeffrey,

Is UAC enabled on your Vista workstation ?

Perhaps we need to use a different LSA function to get the session key,
compared to how we do it in the code which works on XP ? Is the code
accessing session key the MIT kerberos library ? Also, I assume that
kermit is using the MIT gss on Windows to access credentials so there is
nothing in kermit which is special.

Can you also confirm that you are using RC4 keys for service tickets ?
We are using RC4 session keys.

Thanks,
Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: 01 March 2007 15:02
To: Tim Alsop
Cc: krbdev at mit.edu
Subject: Re: Vista / UAC

Tim:

I don't know what problem you are having but session keys can be read
just fine by non-Administrator accounts.

I log into Vista with my non-Administrator account from my 2003 domain. 
I set the default ccache to MSLSA: and then startup a copy of Kermit 95
which I use to SSH gssapi-keyex into a host via a cross-realm
authentication.

[C:\kermit]set KRB5CCNAME=MSLSA:

[C:\kermit]k95g

[C:\kermit]klist
Ticket cache: MSLSA:
Default principal: userone at WINDOWS.SECURE-ENDPOINTS.COM

Valid starting     Expires            Service principal
03/01/07 09:59:37  03/01/07 16:50:49 
krbtgt/SECURE-ENDPOINTS.COM at WINDOWS.SECURE-ENDPOINTS.COM
        renew until 03/07/07 21:05:49
03/01/07 06:50:49  03/01/07 16:50:49 
krbtgt/WINDOWS.SECURE-ENDPOINTS.COM at WINDOWS.SECURE-ENDPOINTS.COM
        renew until 03/07/07 21:05:49
03/01/07 09:55:18  03/01/07 16:50:49 
host/redhat71.secure-endpoints.com at SECURE-ENDPOINTS.COM
        renew until 03/07/07 21:05:49

There is no UAC involved in this interaction.

UAC is only involved when the account is a member of the Administrators
group.

Jeffrey Altman
Secure Endpoints Inc.