Skip Menu |
 

From: jaltman@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 2.6KiB
On Windows Vista the GINA architecture was removed. As a side
effect the support for the Logon Event Handlers was also removed.
The KFW Integrated Logon functionality relies on the "Logon"
event handler to migrate the user's tickets from a secure FILE:
ccache to an API: ccache so that the tickets will be available
to NetIDMgr and all other Kerberos applications.

This functionality is especially important on Vista for
accounts that are members of the Administrators group because
the User Account Control (UAC) restricts access to the session
keys of all tickets in the MSLSA ccache. The only way for
tickets to be made available to MIT Kerberos applications is
by obtaining them within the Network Provider and pushing them
into the Logon Session.

This patch replaces the missing Logon Event Handler support
with a new exported function "LogonEventHandler" which adheres
to the rundll32.exe specifications. The "LogonEventHandler"
function accepts as input the name of a FILE ccache and moves
the contents into an API: ccache and then deletes the FILE
ccache.

In order for this to work the FILE ccache must be owned by
the account that was used to logon to the current session.
The NPLogonNotify() function must therefore lookup the SID
for the active account, assign an appropriate DACL to the
ccache file, and change the owner. In addition, when Vista
is in use a LogonScript must be constructed that will perform
the call to rundll32.exe.

Other changes include altering the prototype of
KFW_copy_ccache_system_file to accept a filename instead of
the LogonID. This improves the abstraction and allows the
filename to be computed once and passed into multiple
functions from NPLogonNotify().

Many debugging calls were added to assist with implementation.
#define DEBUG 1 at the top of kfwcommon.c when you wish to
build with debugging that generates entries in the Windows
Application Event Viewer.

It is important to note that Integrated Logon attempts to
logon the username within the default realm within the
krb5.ini file using the provided password. This is so
a local machine account name matching the default realm
can obtain Kerberos tickets by synchronizing the password.



Commit By: jaltman



Revision: 19221
Changed Files:
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwlogon.c
U trunk/src/windows/kfwlogon/kfwlogon.def
U trunk/src/windows/kfwlogon/kfwlogon.h
From: jaltman@mit.edu
Subject: SVN Commit
When using the Vista SDK version of NTSecAPI.h it is necessary
to ensure the _WIN32_WINNT have a value of 0x0501 or greater.
Otherwise, required LSA type declarations are undeclared.

Provide a registry value that can be set to turn on Application
Event log messages for debugging.

HKLM\System\CurrentControlSet\Services\MIT Kerberos\Network Provider
DWORD "Debug"

Ensure that KFW_obtain_user_temp_directory() returns a value on
error.

Correct the declaration of KFW_copy_cache_to_system_file()
to match the prototype.


Commit By: jaltman



Revision: 19240
Changed Files:
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwlogon.h
From: jaltman@mit.edu
Subject: SVN Commit
This commit addresses several issues:

(1) The registry key used for activating event reporting to
the Windows application log was wrong. It should be
"NetworkProvider" not "Network Provider"

(2) Event logging of the state of the "Debug" value has been
added so that it is possible to debug the use of event
reporting.

(3) The code no longer performs the pre-kinit operations
if a password was not provided.

(4) A new function KFW_copy_file_cache_to_api_cache() has
been added. This is used instead of
KFW_copy_file_cache_to_default_cache() permitting the
default cache to be MSLSA, FILE, or anything else.
The API cache name will be of the form API:principal
just as is done by Network Identity Manager.


Commit By: jaltman



Revision: 19289
Changed Files:
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwcpcc.c
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 2.9KiB
pull up r19221 from trunk

r19221@cathode-dark-space: jaltman | 2007-03-13 02:35:13 -0400
ticket: new
subject: KFW: Vista Integrated Logon
component: windows

On Windows Vista the GINA architecture was removed. As a side
effect the support for the Logon Event Handlers was also removed.
The KFW Integrated Logon functionality relies on the "Logon"
event handler to migrate the user's tickets from a secure FILE:
ccache to an API: ccache so that the tickets will be available
to NetIDMgr and all other Kerberos applications.

This functionality is especially important on Vista for
accounts that are members of the Administrators group because
the User Account Control (UAC) restricts access to the session
keys of all tickets in the MSLSA ccache. The only way for
tickets to be made available to MIT Kerberos applications is
by obtaining them within the Network Provider and pushing them
into the Logon Session.

This patch replaces the missing Logon Event Handler support
with a new exported function "LogonEventHandler" which adheres
to the rundll32.exe specifications. The "LogonEventHandler"
function accepts as input the name of a FILE ccache and moves
the contents into an API: ccache and then deletes the FILE
ccache.

In order for this to work the FILE ccache must be owned by
the account that was used to logon to the current session.
The NPLogonNotify() function must therefore lookup the SID
for the active account, assign an appropriate DACL to the
ccache file, and change the owner. In addition, when Vista
is in use a LogonScript must be constructed that will perform
the call to rundll32.exe.

Other changes include altering the prototype of
KFW_copy_ccache_system_file to accept a filename instead of
the LogonID. This improves the abstraction and allows the
filename to be computed once and passed into multiple
functions from NPLogonNotify().

Many debugging calls were added to assist with implementation.
#define DEBUG 1 at the top of kfwcommon.c when you wish to
build with debugging that generates entries in the Windows
Application Event Viewer.

It is important to note that Integrated Logon attempts to
logon the username within the default realm within the
krb5.ini file using the provided password. This is so
a local machine account name matching the default realm
can obtain Kerberos tickets by synchronizing the password.





Commit By: tlyu



Revision: 19334
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.def
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19240 from trunk

r19240@cathode-dark-space: jaltman | 2007-03-21 00:48:09 -0400
ticket: 5469

When using the Vista SDK version of NTSecAPI.h it is necessary
to ensure the _WIN32_WINNT have a value of 0x0501 or greater.
Otherwise, required LSA type declarations are undeclared.

Provide a registry value that can be set to turn on Application
Event log messages for debugging.

HKLM\System\CurrentControlSet\Services\MIT Kerberos\Network Provider
DWORD "Debug"

Ensure that KFW_obtain_user_temp_directory() returns a value on
error.

Correct the declaration of KFW_copy_cache_to_system_file()
to match the prototype.




Commit By: tlyu



Revision: 19335
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.h
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19289 from trunk

r19289@cathode-dark-space: jaltman | 2007-03-27 09:37:30 -0400
ticket: 5469

This commit addresses several issues:

(1) The registry key used for activating event reporting to
the Windows application log was wrong. It should be
"NetworkProvider" not "Network Provider"

(2) Event logging of the state of the "Debug" value has been
added so that it is possible to debug the use of event
reporting.

(3) The code no longer performs the pre-kinit operations
if a password was not provided.

(4) A new function KFW_copy_file_cache_to_api_cache() has
been added. This is used instead of
KFW_copy_file_cache_to_default_cache() permitting the
default cache to be MSLSA, FILE, or anything else.
The API cache name will be of the form API:principal
just as is done by Network Identity Manager.




Commit By: tlyu



Revision: 19336
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwcpcc.c