Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Access to Session Keys not possible using a restricted Token

Access to Session Keys not possible using a restricted Token

Symptoms

You are running applications on Windows 7 or Windows Server 2008 R2. The application or its runtime environment requires access to the Kerberos TGT Session Key to submit its own Kerberos Ticket requests.

Microsoft has introduced an option to enable this, documented in this KB article using the registry entry allowtgtsessionkey: http://support.microsoft.com/kb/308339

When you are running the affected applications as a local administrator with User Access Control (UAC) enabled, you notice that the application is not able to make Kerberos-authenticated connections.

↑ Back to the top

Cause

In the affected operating systems, giving out the session keys to processes running with a restricted token is not allowed anymore. This is seen as a potential to elevate the process to a unrestricted token.

↑ Back to the top

Resolution

There are the following approaches:

  1. Remove local administrator rights from the users.
  2. Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. Depending on the application environment, the entry point may differ. The Windows native API method for this is InitializeSecurityContext.

  3. You can allow automatic elevation of the application when the application launch policy for local Administrators is set to "no prompt".
    See http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Note: If you then have an application manifest that requests the elevation to either "highestAvailable" or "requireAdministrator". The MSDN topic contains a sample manifest file and instructions on how to add it to the application.

  4. Have a wrapper in the application that starts the part of the solution needing the Session Keys as elevated using the ShellExecute verb "runas".
    See http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

  5. Another option to run part of a solution in elevated mode is the COM elevation moniker as described in the following article:
    See sample function CoCreateInstanceAsAdmin: http://msdn.microsoft.com/en-us/library/ms679687

  6. Turn off UAC so administrators always run with a full token.

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2627903
Revision : 1
Created on : 1/8/2017
Published on : 4/24/2013
Exists online : False
Views : 69