Access to Session Keys not possible using a restricted Token

Article ID: 2627903 - View products that this article applies to.
Expand all | Collapse all

Symptoms

You are running applications on Windows 7 or Windows Server 2008 R2. The application or its runtime environment requires access to the Kerberos TGT Session Key to submit its own Kerberos Ticket requests.

Microsoft has introduced an option to enable this, documented in this KB article using the registry entry allowtgtsessionkey: http://support.microsoft.com/kb/308339

When you are running the affected applications as a local administrator with User Access Control (UAC) enabled, you notice that the application is not able to make Kerberos-authenticated connections.

Cause

In the affected operating systems, giving out the session keys to processes running with a restricted token is not allowed anymore. This is seen as a potential to elevate the process to a unrestricted token.

Resolution

There are the following approaches:

  1. Remove local administrator rights from the users.
  2. Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. Depending on the application environment, the entry point may differ. The Windows native API method for this is InitializeSecurityContext.
  3. You can allow automatic elevation of the application when the application launch policy for local Administrators is set to "no prompt".
    See http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Note: If you then have an application manifest that requests the elevation to either "highestAvailable" or "requireAdministrator". The MSDN topic contains a sample manifest file and instructions on how to add it to the application.

  4. Have a wrapper in the application that starts the part of the solution needing the Session Keys as elevated using the ShellExecute verb "runas".
    See http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

  5. Another option to run part of a solution in elevated mode is the COM elevation moniker as described in the following article:
    See sample function CoCreateInstanceAsAdmin: http://msdn.microsoft.com/en-us/library/ms679687

  6. Turn off UAC so administrators always run with a full token.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2627903 - Last Review: April 19, 2013 - Revision: 5.0
Applies to
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
Keywords: 
KB2627903

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com