Ticket History #5469: KFW: Vista Integrated Logon

This commit addresses several issues:

(1) The registry key used for activating event reporting to
the Windows application log was wrong. It should be
"NetworkProvider" not "Network Provider"

(2) Event logging of the state of the "Debug" value has been
added so that it is possible to debug the use of event
reporting.

(3) The code no longer performs the pre-kinit operations
if a password was not provided.

(4) A new function KFW_copy_file_cache_to_api_cache() has
been added. This is used instead of
KFW_copy_file_cache_to_default_cache() permitting the
default cache to be MSLSA, FILE, or anything else.
The API cache name will be of the form API:principal
just as is done by Network Identity Manager.


Commit By: jaltman



Revision: 19289
Changed Files:
U trunk/src/windows/kfwlogon/kfwcommon.c
U trunk/src/windows/kfwlogon/kfwcpcc.c

pull up r19221 from trunk

r19221@cathode-dark-space: jaltman | 2007-03-13 02:35:13 -0400
ticket: new
subject: KFW: Vista Integrated Logon
component: windows

On Windows Vista the GINA architecture was removed. As a side
effect the support for the Logon Event Handlers was also removed.
The KFW Integrated Logon functionality relies on the "Logon"
event handler to migrate the user's tickets from a secure FILE:
ccache to an API: ccache so that the tickets will be available
to NetIDMgr and all other Kerberos applications.

This functionality is especially important on Vista for
accounts that are members of the Administrators group because
the User Account Control (UAC) restricts access to the session
keys of all tickets in the MSLSA ccache. The only way for
tickets to be made available to MIT Kerberos applications is
by obtaining them within the Network Provider and pushing them
into the Logon Session.

This patch replaces the missing Logon Event Handler support
with a new exported function "LogonEventHandler" which adheres
to the rundll32.exe specifications. The "LogonEventHandler"
function accepts as input the name of a FILE ccache and moves
the contents into an API: ccache and then deletes the FILE
ccache.

In order for this to work the FILE ccache must be owned by
the account that was used to logon to the current session.
The NPLogonNotify() function must therefore lookup the SID
for the active account, assign an appropriate DACL to the
ccache file, and change the owner. In addition, when Vista
is in use a LogonScript must be constructed that will perform
the call to rundll32.exe.

Other changes include altering the prototype of
KFW_copy_ccache_system_file to accept a filename instead of
the LogonID. This improves the abstraction and allows the
filename to be computed once and passed into multiple
functions from NPLogonNotify().

Many debugging calls were added to assist with implementation.
#define DEBUG 1 at the top of kfwcommon.c when you wish to
build with debugging that generates entries in the Windows
Application Event Viewer.

It is important to note that Integrated Logon attempts to
logon the username within the default realm within the
krb5.ini file using the provided password. This is so
a local machine account name matching the default realm
can obtain Kerberos tickets by synchronizing the password.





Commit By: tlyu



Revision: 19334
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/windows/kfwlogon/kfwcommon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.c
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.def
U branches/krb5-1-6/src/windows/kfwlogon/kfwlogon.h