Windows 7 - Kerberos TGT Session Key restriction for Domain user in localAdministrators group with UAC enabled

Asked By uljana1 on 30-Jul-12 05:38 AM

I am desperately looking for proof that there is a genuine Microsoft restric=
tion on AD Domain users who are members of the local Administrators group w=
ith UAC enabled not having access to the Kerberos TGT Session Key. I have S=
SO implemented in Java using Kerberos for my application, but we have recen=
tly faced the problem in Windows 7 that Administrator users with UAC enable=
d fail to login automatically via SSO because of the Kerberos TGT restricti=
on.=20

I have both Client and Server implemented in java and we are using GSS and =
Kerberos on the client side for SSO. Is there a way to obtain a Service Tic=
ket from Kerberos in this scenario.

Thank you in advance.

1983-01-0 replied to uljana1 on 14-Aug-12 04:51 AM

iction on AD Domain users who are members of the local Administrators group=
with UAC enabled not having access to the Kerberos TGT Session Key. I have=
SSO implemented in Java using Kerberos for my application, but we have rec=
ently faced the problem in Windows 7 that Administrator users with UAC enab=
led fail to login automatically via SSO because of the Kerberos TGT restric=
tion.=20
d Kerberos on the client side for SSO. Is there a way to obtain a Service T=
icket from Kerberos in this scenario.

Hi,

I ran into this issue too. I am a local admin with a domain account. I cann=
ot obtain the TGT from LSA. Have a look at this ticket: http://bugs.sun.com=
/bugdatabase/view_bug.do?bug_id=3D6722928

This is an intentional limitation under Windows. You have to use SSPI on Wi=
ndows otherwise you have no chance.

My workaround was to call Java's kinit. What a pity.

Mike

Previous Windows 7 Discussion: Is the output of CryptSignMessageWithKey always the same for the sameinput and environment (certificate)?

Access over 40 UI widgets with everything from interactive menus to rich charts.