Kerberos delegation on Windows Vista LSA - Kerberos

This is a discussion on Kerberos delegation on Windows Vista LSA - Kerberos ; Hi Guys I have a program doing Kerberos on Windows. The program generates all Kerberos packets itself but will sometimes retrieve tickets from the LSA cache so that user needn't type in the windows password. Before WIndows Vista, if I ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kerberos delegation on Windows Vista LSA

  1. Kerberos delegation on Windows Vista LSA

    Hi Guys

    I have a program doing Kerberos on Windows. The program generates all
    Kerberos packets itself but will sometimes retrieve tickets from the
    LSA cache so that user needn't type in the windows password. Before
    WIndows Vista, if I have to go delegation, I need a forwardable TGT to
    put into a KRB_CRED message. In order to get the session key, I have
    to setup the Windows registry key allowtgtsessionkey=1. Now in Vista,
    even if the key is set, a domain user who is in the local admin group
    still cannot get a valid session key. The only workaround now is to
    create my own kinit and issue the AS_REQ, which means the user has to
    input his password, and the user is not happy.

    I suppose Vista is doing this for security reason so that un-
    privileged guys cannot use this "hole" to get back full admin right.
    Is that right? Do this mean I can never 1) generating Kerberos packets
    myself and 2) using LSA cache at the same time?

    Thanks in advance
    Speedo

  2. RE: Kerberos delegation on Windows Vista LSA

    Speedo,

    This is due to a bug in Vista that will be fixed in SP1. There is a
    hotfix available for pre-SP1. If you turn off UAC or use an account
    which is not an administrator you don't need any fix.

    The hotfix is described at http://support.microsoft.com/kb/942219/en-us

    Thanks,
    Tim

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    Behalf Of Speedo
    Sent: 28 January 2008 13:32
    To: kerberos@mit.edu
    Subject: Kerberos delegation on Windows Vista LSA

    Hi Guys

    I have a program doing Kerberos on Windows. The program generates all
    Kerberos packets itself but will sometimes retrieve tickets from the
    LSA cache so that user needn't type in the windows password. Before
    WIndows Vista, if I have to go delegation, I need a forwardable TGT to
    put into a KRB_CRED message. In order to get the session key, I have
    to setup the Windows registry key allowtgtsessionkey=1. Now in Vista,
    even if the key is set, a domain user who is in the local admin group
    still cannot get a valid session key. The only workaround now is to
    create my own kinit and issue the AS_REQ, which means the user has to
    input his password, and the user is not happy.

    I suppose Vista is doing this for security reason so that un-
    privileged guys cannot use this "hole" to get back full admin right.
    Is that right? Do this mean I can never 1) generating Kerberos packets
    myself and 2) using LSA cache at the same time?

    Thanks in advance
    Speedo
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Kerberos delegation on Windows Vista LSA

    Thanks a lot, I'll try it tomorrow.

    Speedo

    On Jan 28, 9:59 pm, "Tim Alsop" wrote:
    > Speedo,
    >
    > This is due to a bug in Vista that will be fixed in SP1. There is a
    > hotfix available for pre-SP1. If you turn off UAC or use an account
    > which is not an administrator you don't need any fix.
    >
    > The hotfix is described athttp://support.microsoft.com/kb/942219/en-us
    >
    > Thanks,
    > Tim


+ Reply to Thread