Access to Session Keys not possible using a restricted Token


Symptoms


You are running applications on Windows 7 or Windows Server 2008 R2. The application or its runtime environment requires access to the Kerberos TGT Session Key to submit its own Kerberos Ticket requests.

Microsoft has introduced an option to enable this, documented in this KB article using the registry entry allowtgtsessionkey: http://support.microsoft.com/kb/308339

When you are running the affected applications as a local administrator with User Access Control (UAC) enabled, you notice that the application is not able to make Kerberos-authenticated connections.

Cause


In the affected operating systems, giving out the session keys to processes running with a restricted token is not allowed anymore. This is seen as a potential to elevate the process to a unrestricted token.

Resolution


There are the following approaches:

  1. Remove local administrator rights from the users.
  2. Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. Depending on the application environment, the entry point may differ. The Windows native API method for this is InitializeSecurityContext.
  3. You can allow automatic elevation of the application when the application launch policy for local Administrators is set to "no prompt".
    See http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Note: If you then have an application manifest that requests the elevation to either "highestAvailable" or "requireAdministrator". The MSDN topic contains a sample manifest file and instructions on how to add it to the application.

  4. Have a wrapper in the application that starts the part of the solution needing the Session Keys as elevated using the ShellExecute verb "runas".
    See http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

  5. Another option to run part of a solution in elevated mode is the COM elevation moniker as described in the following article:
    See sample function CoCreateInstanceAsAdmin: http://msdn.microsoft.com/en-us/library/ms679687

  6. Turn off UAC so administrators always run with a full token.