RT RT/krbdev.mit.edu: Ticket #5477 Enable Vista support for MSLSA Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
5477
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
  • windows
Tags
Version_reported
Version_Fixed
  • 1.6.1
Target_Version
  • 1.6.1
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 5462: (jaltman) Vista no longer returns enctype 0 for unavailable session keys [open]
 
 Dates  
Created: Tue Mar 20 03:13:25 2007
Starts: Not set
Started: Tue Mar 20 03:13:29 2007
Last Contact: Tue Mar 18 13:35:14 2008
Due: Not set
Updated: Wed Dec 16 18:02:49 2015 by tlyu
 

 People  
Owner
 jaltman
Requestors
 jaltman@mit.edu
Cc
 
AdminCc
 
 

 More about Jeffrey Altman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Mar 20 03:13:26 2007  jaltman - Ticket created    
     
From: jaltman@mit.edu
Subject: SVN Commit

The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to
write tickets to the LSA credential cache for the current logon session.   This is
possible due to the addition of the KERB_SUBMIT_TICKET interface.

Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient
method of enumerating the contents of the LSA credential cache.

The code to take advantage of these features has been present for more than a year.
However, due to the lack of a public SDK that included the necessary data structures
the functionality has been disabled.  As of this commit, the functionality will be
enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS.
This is a preprocessor symbol that is new to the Vista SDK.

In order to build with the new Vista functionality when using the XP SP2 SDK, the
NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP
SP2 SDK.

This commit also addresses the issues associated with the inability to read session
keys from a UAC limited process.   When UAC limitation is detected by examining the
process token elevation level all access to the MSLSA contents is disabled.   At some
point in the future we can implement an elevated COM service in order to obtain
access to the session keys.
Commit By: jaltman



Revision: 19237
Changed Files:
U   trunk/src/lib/krb5/ccache/cc_mslsa.c


Download (untitled) 1.3k
      Tue Mar 20 03:13:29 2007  jaltman - Tags pullup added    
      Tue Mar 20 03:13:29 2007  jaltman - Status changed from new to resolved    
      Tue Mar 20 03:13:30 2007  jaltman - Requestor jaltman@mit.edu added    
      Tue Mar 20 03:16:32 2007  jaltman - Component windows added    
      Tue Mar 20 03:16:33 2007  jaltman - Target_Version 1.6.1 added    
      Thu Mar 29 23:09:20 2007  tlyu - Version_Fixed 1.6.1 added    
      Thu Mar 29 23:09:20 2007  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit

pull up r19237 from trunk

 r19237@cathode-dark-space:  jaltman | 2007-03-20 03:13:18 -0400
 ticket: new
 subject: Enable Vista support for MSLSA
 tags: pullup

 The MSLSA: ccache type when used on Windows Vista can take advantage of an ability
to write tickets to the LSA credential cache for the current logon session.   This is
possible due to the addition of the KERB_SUBMIT_TICKET interface.

 Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more
efficient method of enumerating the contents of the LSA credential cache.

 The code to take advantage of these features has been present for more than a year.
However, due to the lack of a public SDK that included the necessary data structures
the functionality has been disabled.  As of this commit, the functionality will be
enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS.
This is a preprocessor symbol that is new to the Vista SDK.

 In order to build with the new Vista functionality when using the XP SP2 SDK, the
NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP
SP2 SDK.

 This commit also addresses the issues associated with the inability to read session
keys from a UAC limited process.   When UAC limitation is detected by examining the
process token elevation level all access to the MSLSA contents is disabled.   At some
point in the future we can implement an elevated COM service in order to obtain
access to the session keys.


Commit By: tlyu



Revision: 19337
Changed Files:
_U  branches/krb5-1-6/
U   branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c


Download (untitled) 1.5k
      Tue Mar 18 13:35:10 2008  kpkoch - Correspondence added    
     
>... As of this commit, the functionality will be enabled if
>    the version of NTSecAPI.h includes
>    TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS.  This is a preprocessor symbol
>    that is new to the Vista SDK.
>
> In order to build with the new Vista functionality when using the XP
>    SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in
>    place of the version from the XP SP2 SDK.

The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if
(_WIN32_WINNT >= 0x0600).  How will the functionality be enabled if the
product is built on XP?


Download (untitled) 569b
      Tue Mar 18 13:40:12 2008  jaltman - Correspondence added    
     
Date: Tue, 18 Mar 2008 11:42:26 -0600
From: Jeffrey Altman <jaltman@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5477] Enable Vista support for MSLSA
RT-Send-Cc: 

Kevin Koch via RT wrote:
>> ... As of this commit, the functionality will be enabled if
>>    the version of NTSecAPI.h includes
>>    TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS.  This is a preprocessor symbol
>>    that is new to the Vista SDK.
>>
>> In order to build with the new Vista functionality when using the XP
>>    SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in
>>    place of the version from the XP SP2 SDK.
>
> The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if
> (_WIN32_WINNT >= 0x0600).  How will the functionality be enabled if the
> product is built on XP?

See the cc_mslsa.c source file.  It always defines _WIN32_WINNT as 0x0600






Download (untitled) 690b
      Wed Dec 16 18:02:49 2015  tlyu - Keyword pullup deleted