Ticket History #5477: Enable Vista support for MSLSA

# Tue Mar 20 03:13:26 2007 jaltman (Jeffrey Altman) - Ticket created

From:	jaltman@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 1.3KiB

The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to write tickets to the LSA credential cache for the current logon session. This is possible due to the addition of the KERB_SUBMIT_TICKET interface.

Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient method of enumerating the contents of the LSA credential cache.

The code to take advantage of these features has been present for more than a year. However, due to the lack of a public SDK that included the necessary data structures the functionality has been disabled. As of this commit, the functionality will be enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol that is new to the Vista SDK.

In order to build with the new Vista functionality when using the XP SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP SP2 SDK.

This commit also addresses the issues associated with the inability to read session keys from a UAC limited process. When UAC limitation is detected by examining the process token elevation level all access to the MSLSA contents is disabled. At some point in the future we can implement an elevated COM service in order to obtain access to the session keys.
Commit By: jaltman

Revision: 19237
Changed Files:
U trunk/src/lib/krb5/ccache/cc_mslsa.c

# Tue Mar 20 03:13:29 2007 jaltman (Jeffrey Altman) - Tags pullup added

# Tue Mar 20 03:13:29 2007 jaltman (Jeffrey Altman) - Status changed from 'new' to 'resolved'

# Tue Mar 20 03:13:30 2007 jaltman (Jeffrey Altman) - Requestor jaltman (Jeffrey Altman) added

# Tue Mar 20 03:16:32 2007 jaltman (Jeffrey Altman) - Component windows added

# Tue Mar 20 03:16:33 2007 jaltman (Jeffrey Altman) - Target_Version 1.6.1 added

# Thu Mar 29 23:09:20 2007 tlyu (Taylor Yu) - Version_Fixed 1.6.1 added

# Thu Mar 29 23:09:20 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 1.5KiB

pull up r19237 from trunk

r19237@cathode-dark-space: jaltman | 2007-03-20 03:13:18 -0400
ticket: new
subject: Enable Vista support for MSLSA
tags: pullup

The MSLSA: ccache type when used on Windows Vista can take advantage of an ability to write tickets to the LSA credential cache for the current logon session. This is possible due to the addition of the KERB_SUBMIT_TICKET interface.

Also new to Vista is the CACHE_INFO_EX2 interface which permits a much more efficient method of enumerating the contents of the LSA credential cache.

The code to take advantage of these features has been present for more than a year. However, due to the lack of a public SDK that included the necessary data structures the functionality has been disabled. As of this commit, the functionality will be enabled if the version of NTSecAPI.h includes TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol that is new to the Vista SDK.

In order to build with the new Vista functionality when using the XP SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in place of the version from the XP SP2 SDK.

This commit also addresses the issues associated with the inability to read session keys from a UAC limited process. When UAC limitation is detected by examining the process token elevation level all access to the MSLSA contents is disabled. At some point in the future we can implement an elevated COM service in order to obtain access to the session keys.

Commit By: tlyu

Revision: 19337
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/cc_mslsa.c

# Tue Mar 18 13:35:10 2008 kpkoch (Kevin Koch) - Correspondence added

Download (untitled) / with headers
text/plain 569B

Show quoted text

>... As of this commit, the functionality will be enabled if
> the version of NTSecAPI.h includes
> TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol
> that is new to the Vista SDK.
>
> In order to build with the new Vista functionality when using the XP
> SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in
> place of the version from the XP SP2 SDK.

The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if
(_WIN32_WINNT >= 0x0600). How will the functionality be enabled if the
product is built on XP?

# Tue Mar 18 13:40:12 2008 jaltman (Jeffrey Altman) - Correspondence added

Date:	Tue, 18 Mar 2008 11:42:26 -0600
From:	Jeffrey Altman <jaltman@mit.edu>
To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5477] Enable Vista support for MSLSA
RT-Send-Cc:

Download (untitled) / with headers
text/plain 690B

Kevin Koch via RT wrote:

Show quoted text

>> ... As of this commit, the functionality will be enabled if
>> the version of NTSecAPI.h includes
>> TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS. This is a preprocessor symbol
>> that is new to the Vista SDK.
>>
>> In order to build with the new Vista functionality when using the XP
>> SP2 SDK, the NTSecAPI.h file from the Vista SDK must be used in
>> place of the version from the XP SP2 SDK.

>
> The #define of TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS is bracketted in #if
> (_WIN32_WINNT >= 0x0600). How will the functionality be enabled if the
> product is built on XP?

See the cc_mslsa.c source file. It always defines _WIN32_WINNT as 0x0600

# Wed Dec 16 18:02:49 2015 tlyu (Taylor Yu) - CustomField pullup deleted