Skip Menu |
 

To: kfw-bugs@MIT.EDU
Subject: Vista no longer returns enctype 0 for unavailable session keys
Date: Tue, 6 Mar 2007 18:44:00 -0500 (EST)
From: hartmans@MIT.EDU (Sam Hartman)


Previous versions of Windows returned enctype 0 when a session key was unavailable in the cache because the allow session key registry key was not 1.

According to discussion on krbdev, Vista returns the same enctype the
session key actually has, but returns an all-zeros key. The MSLSA
should detect this situation and treat it the same as an enctype 0
ticket.

Currently when you try to use such a ticket you get a DES parity
error. That's only because 0 is not a valid des key. For other
enctypes you would get much more confusing errors.
Date: Tue, 06 Mar 2007 18:49:26 -0500
From: Jeffrey Altman <jaltman@mit.edu>
To: rt-kfw@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0 for unavailable session keys
RT-Send-Cc:
Testing for a zero session key is not reliable. The MSLSA code needs to
be modified to detect the use of an account in the Administrators group
and the activation of UAC and disable the MSLSA support.

The same test would be used to trigger any alternative mechanism for the
acquisition of tickets from the MSLSA.
Ticket 5477 adds UAC detection to cc_mslsa.c. When the current process
is running under a UAC limited token, access to the MSLSA is disabled.

At some point KFW may implement a service or COM object that runs with
elevation in order so that it can be used to provide proxy access to the
LSA credential cache session keys.
Confirmation has been received that Vista SP1 will include a hot fix
that re-enables access to session tickets for Administrator group member
accounts when running under UAC.

The cc_mslsa.c test for UAC will have to be modified to test for the SP1
version number.

Vista SP1 beta will be available to select testers within the next two
weeks.
[jaltman - Tue Sep 4 14:39:20 2007]:
Show quoted text
> Vista SP1 beta will be available to select testers within the next two
> weeks.

Vista SP1 Beta 1 does not contain any changes in this area.

The open issue with Microsoft is SRQ070322604363 and the hot fix for
Vista RTM is KB 942219.

There is no runtime test that can be performed to determine if the hot
fix is applied. When the hotfix becomes widely available we are going
to have to use either a Windows build number test or attempt to
enumerate the installed update list.
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0 for unavailable session keys
Date: Mon, 15 Oct 2007 06:59:10 -0400
RT-Send-Cc:
I'd like to explore options for a runtime test. I understand that
you've thought about this, but perhaps once you get the hotfix, we
could walk through options for a runtime test that works in practice
even if Microsoft did not design one.

I don't want this to block anything.
Date: Mon, 15 Oct 2007 22:48:32 -0400
From: Danny Mayer <mayer@ntp.isc.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0 for unavailable session keys
RT-Send-Cc:
Jeffrey Altman via RT wrote:
Show quoted text
> [jaltman - Tue Sep 4 14:39:20 2007]:
>> Vista SP1 beta will be available to select testers within the next two
>> weeks.
>
> Vista SP1 Beta 1 does not contain any changes in this area.
>
> The open issue with Microsoft is SRQ070322604363 and the hot fix for
> Vista RTM is KB 942219.
>
> There is no runtime test that can be performed to determine if the hot
> fix is applied. When the hotfix becomes widely available we are going
> to have to use either a Windows build number test or attempt to
> enumerate the installed update list.

Historically, Hotfixes ended up creating a folder in the Windows
directory called $NtUninstallKB873339$. Is that no longer true with
Vista? I could have sworn that it also added it to the registry but I
can't find where.

Danny
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0 forunavailable session keys
Date: Mon, 15 Oct 2007 22:25:59 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.1KiB
mayer@ntp.isc.org via RT <rt@krbdev.mit.edu> wrote:
Show quoted text
> Jeffrey Altman via RT wrote:
>> [jaltman - Tue Sep 4 14:39:20 2007]:
>>> Vista SP1 beta will be available to select testers within the next
>>> two weeks.
>>
>> Vista SP1 Beta 1 does not contain any changes in this area.
>>
>> The open issue with Microsoft is SRQ070322604363 and the hot fix for
>> Vista RTM is KB 942219.
>>
>> There is no runtime test that can be performed to determine if the
>> hot fix is applied. When the hotfix becomes widely available we are
>> going to have to use either a Windows build number test or attempt to
>> enumerate the installed update list.
>
> Historically, Hotfixes ended up creating a folder in the Windows
> directory called $NtUninstallKB873339$. Is that no longer true with
> Vista? I could have sworn that it also added it to the registry but I
> can't find where.

One should not assume those exist. I for one delete such directories to
save disk space before cloning systems.

I would assume that it is possible to check the version number of
Kerberos.dll and make sure it is equal to or newer than the version in
the KB article.

<<CDC
Date: Tue, 16 Oct 2007 00:15:00 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0 forunavailable session keys
RT-Send-Cc:
""Christopher D. Clausen" via RT" wrote:
Show quoted text
>
> I would assume that it is possible to check the version number of
> Kerberos.dll and make sure it is equal to or newer than the version in
> the KB article.
Not a safe assumption either. The Vista SP1 Beta 1 kerberos.dll has a
later version number than the hotfix. You need to know what is in each
version.
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.

From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0forunavailable session keys
Date: Mon, 15 Oct 2007 23:50:57 -0500
RT-Send-Cc:
Jeffrey Altman via RT <rt@krbdev.mit.edu> wrote:
Show quoted text
> ""Christopher D. Clausen" via RT" wrote:
>> I would assume that it is possible to check the version number of
>> Kerberos.dll and make sure it is equal to or newer than the version
>> in the KB article.
>
> Not a safe assumption either. The Vista SP1 Beta 1 kerberos.dll has
> a later version number than the hotfix. You need to know what is in
> each version.

Hmm... would it be better to maintain a list of known bad versions?

<<CDC
Date: Tue, 16 Oct 2007 10:07:24 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5462] Vista no longer returns enctype 0forunavailable session keys
RT-Send-Cc:
""Christopher D. Clausen" via RT" wrote:
Show quoted text
>
> Hmm... would it be better to maintain a list of known bad versions?
>
>
I have no idea what the list of known bad versions would be.
Theorectically, you could say that the list of know good versions will
be the version of the preliminary hotfix and all versions after the
hotfix is incorporated into an SP1 release. However, given that the
deployment of Vista is relatively low and that given its automatic
update functionality that the vast majority of users will be on SP1
shortly after its release, it is probably better to simply to ignore the
hotfix and just target SP1.
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.