Vista / UAC

[Tim Alsop]

Jeffrey,

Thankyou for this. I am pleased this is possible, so we must need to
change our code somehow to make it work better on Vista. At the moment
it works well on all other version of XP, 2k etc. with MS LSA cache,
even on x64 versions of Windows. 

BTW. The issue I described is on Vista x64, so maybe the 64-bit
involvement is opening up a bug in UAC ? We will check on regular x86
Vista and see what happens, then look at MIT code to see how our code
differs.

Cheers,
Tim 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: 01 March 2007 15:26
To: Tim Alsop
Cc: krbdev at mit.edu
Subject: Re: Vista / UAC

Tim Alsop wrote:
> Jeffrey,
>
> Is UAC enabled on your Vista workstation ?
Yes.  If I login with an account that is a member of the administrators
group, UAC is triggered.
> Perhaps we need to use a different LSA function to get the session
key,
> compared to how we do it in the code which works on XP ? Is the code
> accessing session key the MIT kerberos library ? Also, I assume that
> kermit is using the MIT gss on Windows to access credentials so there
is
> nothing in kermit which is special.
Kermit is using the KFW GSS-API library using the MSLSA: ccache type.
> Can you also confirm that you are using RC4 keys for service tickets ?
> We are using RC4 session keys.
>   
This particular case is not using RC4-HMAC.  Not that it would make a
difference.

I can store arbitrary service tickets into the MSLSA: and read them back
without issue.

Jeffrey Altman
Secure Endpoints Inc.