Du er offline. Venter på, at der oprettes forbindelse til internettet igen

Access to Session Keys not possible using a restricted Token


You are running applications on Windows 7 or Windows Server 2008 R2. The application or its runtime environment requires access to the Kerberos TGT Session Key to submit its own Kerberos Ticket requests.

Microsoft has introduced an option to enable this, documented in this KB article using the registry entry allowtgtsessionkey: http://support.microsoft.com/kb/308339

When you are running the affected applications as a local administrator with User Access Control (UAC) enabled, you notice that the application is not able to make Kerberos-authenticated connections.

In the affected operating systems, giving out the session keys to processes running with a restricted token is not allowed anymore. This is seen as a potential to elevate the process to a unrestricted token.

There are the following approaches:

  1. Remove local administrator rights from the users.
  2. Change the application or it's runtime to use the Windows methods of managing identity and secure server connections so it does not require access to the session keys anymore. Depending on the application environment, the entry point may differ. The Windows native API method for this is InitializeSecurityContext.
  3. You can allow automatic elevation of the application when the application launch policy for local Administrators is set to "no prompt".
    See http://msdn.microsoft.com/en-us/library/bb756929.aspx

    Note: If you then have an application manifest that requests the elevation to either "highestAvailable" or "requireAdministrator". The MSDN topic contains a sample manifest file and instructions on how to add it to the application.

  4. Have a wrapper in the application that starts the part of the solution needing the Session Keys as elevated using the ShellExecute verb "runas".
    See http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx

  5. Another option to run part of a solution in elevated mode is the COM elevation moniker as described in the following article:
    See sample function CoCreateInstanceAsAdmin: http://msdn.microsoft.com/en-us/library/ms679687

  6. Turn off UAC so administrators always run with a full token.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Artikel-id: 2627903 – Seneste udgave 04/19/2013 10:23:00 – Udgave 5.0

Windows 7 Enterprise, Windows 7 Professional, Windows 7 Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise

  • KB2627903