RT/krbdev.mit.edu: Ticket #5477 Enable Vista support for MSLSA

RT/krbdev.mit.edu: Ticket #5477 Enable Vista support for MSLSA

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
5477

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	windows
Tags
Version_reported
Version_Fixed	1.6.1
Target_Version	1.6.1

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

5462: (jaltman) Vista no longer returns enctype 0 for unavailable session keys [open]

Dates

Created:	Tue Mar 20 03:13:25 2007
Starts:	Not set
Started:	Tue Mar 20 03:13:29 2007
Last Contact:	Tue Mar 18 13:35:14 2008
Due:	Not set
Updated:	Wed Dec 16 18:02:49 2015 by tlyu

People

Owner
jaltman
Requestors
jaltman@mit.edu
Cc

AdminCc

More about Jeffrey Altman

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

1527: krb5_rd_safe_basic() throws exception when sender_addr is NULL (new)
1809: Krb5 Telnet[d] improperly truncates 3DES keys to DES key (new)
2137: krb5_cc_get_principal prevents implementation of auto kinit dialogs in KfM/KfW (new)
2147: Debug output hooks need to be added to support Windows Help Desk (open)
2253: W2K+3 vs MIT RC4-HMAC based cross-realm trusts (open)
2547: Add support for kpasswd/TCP to kadmind (open)
2636: replace all calls to getenv()/setenv() with Get/SetEnvironmentVariable on Windows (open)
2640: krb5_cc_default() blocks for two minutes when MSLSA and Logon Server Unavailable (open)
2736: recode krb5_get_credentials to work without a ccache (new)
3112: telnet does not build on Fedora Core 4 (new)
4325: src/include/krb5_err.h needs to be updated to match RFC4120 (new)
4328: Implement new krb5_get_credentials option: KRB5_GC_REPLACE (open)
4740: cccursor backend for MSLSA (new)
5501: Vista UAC impact on Windows Installer requires modifications to admin privilege test (open)
5536: Build Script Fails to build KFW (open)
5543: Build Scripts fail to package with "beta" version (new)
5714: Build Script - Update for 64-bit Windows build (open)
5718: NIM: BUG: APP: Configuration Identity Panel Apply Button (open)
5720: NIM: BUG: APP: Create command-line request queue (open)
5721: NIM: BUG: KRB5: Identity validation can succeed without prompts (open)
5722: NIM: FEATURE: KRB5: If KDCs for a particular realm become reachable, prompt for new creds (open)
5723: NIM: FEATURE: KRB5: FILE ccache browse button (open)
5725: NIM: FEATURE: APP: Plug-in Configuration Panel improvements (open)
5726: NIM: FEATURE: APP: Notification Icon Help Menu should list provider specific help (open)
5727: NIM: FEATURE: APP: Status Messages (open)

History

Display mode: [Brief headers] [Full headers]

Tue Mar 20 03:13:26 2007	jaltman - Ticket created
From: jaltman@mit.edu Subject: SVN Commit The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to write tickets to the LSA credential cache for the current logon session. This is possible due to the addition of the KERB_SUBMIT_TICKET interface. Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient method of enumerating the contents of the LSA credential cache. The code to take advantage of these features has been present for more than a year. However, due to the lack of a public SDK that included the necessary data structures the functionality has been disabled. As of this commit, the functionality will be enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol that is new to the Vista SDK. In order to build with the new Vista functionality when using the XP SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP SP2 SDK. This commit also addresses the issues associated with the inability to read session keys from a UAC limited process. When UAC limitation is detected by examining the process token elevation level all access to the MSLSA contents is disabled. At some point in the future we can implement an elevated COM service in order to obtain access to the session keys. Commit By: jaltman Revision: 19237 Changed Files: U trunk/src/lib/krb5/ccache/cc_mslsa.c		Download (untitled) 1.3k
Tue Mar 20 03:13:29 2007	jaltman - Tags pullup added
Tue Mar 20 03:13:29 2007	jaltman - Status changed from new to resolved
Tue Mar 20 03:13:30 2007	jaltman - Requestor jaltman@mit.edu added
Tue Mar 20 03:16:32 2007	jaltman - Component windows added
Tue Mar 20 03:16:33 2007	jaltman - Target_Version 1.6.1 added
Thu Mar 29 23:09:20 2007	tlyu - Version_Fixed 1.6.1 added
Thu Mar 29 23:09:20 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r19237 from trunk r19237@cathode-dark-space: jaltman \| 2007-03-20 03:13:18 -0400 ticket: new subject: Enable Vista support for MSLSA tags: pullup The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to write tickets to the LSA credential cache for the current logon session. This is possible due to the addition of the KERB_SUBMIT_TICKET interface. Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient method of enumerating the contents of the LSA credential cache. The code to take advantage of these features has been present for more than a year. However, due to the lack of a public SDK that included the necessary data structures the functionality has been disabled. As of this commit, the functionality will be enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol that is new to the Vista SDK. In order to build with the new Vista functionality when using the XP SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP SP2 SDK. This commit also addresses the issues associated with the inability to read session keys from a UAC limited process. When UAC limitation is detected by examining the process token elevation level all access to the MSLSA contents is disabled. At some point in the future we can implement an elevated COM service in order to obtain access to the session keys. Commit By: tlyu Revision: 19337 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c		Download (untitled) 1.5k
Tue Mar 18 13:35:10 2008	kpkoch - Correspondence added
>... As of this commit, the functionality will be enabled if > the version of NTSecAPI.h includes > TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol > that is new to the Vista SDK. > > In order to build with the new Vista functionality when using the XP > SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in > place of the version from the XP SP2 SDK. The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if (_WIN32_WINNT >= 0x0600). How will the functionality be enabled if the product is built on XP?		Download (untitled) 569b
Tue Mar 18 13:40:12 2008	jaltman - Correspondence added
Date: Tue, 18 Mar 2008 11:42:26 -0600 From: Jeffrey Altman <jaltman@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5477] Enable Vista support for MSLSA RT-Send-Cc: Kevin Koch via RT wrote: >> ... As of this commit, the functionality will be enabled if >> the version of NTSecAPI.h includes >> TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol >> that is new to the Vista SDK. >> >> In order to build with the new Vista functionality when using the XP >> SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in >> place of the version from the XP SP2 SDK. > > The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if > (_WIN32_WINNT >= 0x0600). How will the functionality be enabled if the > product is built on XP? See the cc_mslsa.c source file. It always defines _WIN32_WINNT as 0x0600		Download (untitled) 690b
Wed Dec 16 18:02:49 2015	tlyu - Keyword pullup deleted