[29160] in Kerberos
RE: Kerberos delegation on Windows Vista LSA
daemon@ATHENA.MIT.EDU (Tim Alsop)
Mon Jan 28 09:01:18 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 28 Jan 2008 13:59:40 -0000
Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D303C5C30@postman-pat.csafe.local>
In-Reply-To: <0fbd45bd-d678-4f69-b6f3-ec4e499894d4@f47g2000hsd.googlegroups.com>
From: "Tim Alsop" <Tim.Alsop@CyberSafe.Com>
To: "Speedo" <speedogoo@gmail.com>, <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Speedo,
This is due to a bug in Vista that will be fixed in SP1. There is a
hotfix available for pre-SP1. If you turn off UAC or use an account
which is not an administrator you don't need any fix.
The hotfix is described at http://support.microsoft.com/kb/942219/en-us
Thanks,
Tim
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Speedo
Sent: 28 January 2008 13:32
To: kerberos@mit.edu
Subject: Kerberos delegation on Windows Vista LSA
Hi Guys
I have a program doing Kerberos on Windows. The program generates all
Kerberos packets itself but will sometimes retrieve tickets from the
LSA cache so that user needn't type in the windows password. Before
WIndows Vista, if I have to go delegation, I need a forwardable TGT to
put into a KRB_CRED message. In order to get the session key, I have
to setup the Windows registry key allowtgtsessionkey=1. Now in Vista,
even if the key is set, a domain user who is in the local admin group
still cannot get a valid session key. The only workaround now is to
create my own kinit and issue the AS_REQ, which means the user has to
input his password, and the user is not happy.
I suppose Vista is doing this for security reason so that un-
privileged guys cannot use this "hole" to get back full admin right.
Is that right? Do this mean I can never 1) generating Kerberos packets
myself and 2) using LSA cache at the same time?
Thanks in advance
Speedo
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
