narkive is for sale. Interested? (dismiss)
Discussion:
Kerberos TGT Session Key restriction for Domain user in local Administrators group with UAC enabled
(too old to reply)
u***@gmail.com
2012-07-30 09:38:51 UTC
Permalink
I'm desperately looking for proof that there is a genuine Microsoft restriction on AD Domain users who are members of the local Administrators group with UAC enabled not having access to the Kerberos TGT Session Key. I have SSO implemented in Java using Kerberos for my application, but we have recently faced the problem in Windows 7 that Administrator users with UAC enabled fail to login automatically via SSO because of the Kerberos TGT restriction.

I have both Client and Server implemented in java and we are using GSS and Kerberos on the client side for SSO. Is there a way to obtain a Service Ticket from Kerberos in this scenario.

Thank you in advance.
1***@gmx.net
2012-08-14 08:51:34 UTC
Permalink
Post by u***@gmail.com
I'm desperately looking for proof that there is a genuine Microsoft restriction on AD Domain users who are members of the local Administrators group with UAC enabled not having access to the Kerberos TGT Session Key. I have SSO implemented in Java using Kerberos for my application, but we have recently faced the problem in Windows 7 that Administrator users with UAC enabled fail to login automatically via SSO because of the Kerberos TGT restriction.
I have both Client and Server implemented in java and we are using GSS and Kerberos on the client side for SSO. Is there a way to obtain a Service Ticket from Kerberos in this scenario.
Thank you in advance.
Hi,

I ran into this issue too. I am a local admin with a domain account. I cannot obtain the TGT from LSA. Have a look at this ticket: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6722928

This is an intentional limitation under Windows. You have to use SSPI on Windows otherwise you have no chance.

My workaround was to call Java's kinit. What a pity.

Mike

Loading...