Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Kerberos TGT Session Key restriction for Domain user in local Administrators group with UAC enabled
385 views
Skip to first unread message
ulja...@gmail.com
Jul 30, 2012, 5:38:51 AM7/30/12
to
I'm desperately looking for proof that there is a genuine Microsoft restriction on AD Domain users who are members of the local Administrators group with UAC enabled not having access to the Kerberos TGT Session Key. I have SSO implemented in Java using Kerberos for my application, but we have recently faced the problem in Windows 7 that Administrator users with UAC enabled fail to login automatically via SSO because of the Kerberos TGT restriction.
I have both Client and Server implemented in java and we are using GSS and Kerberos on the client side for SSO. Is there a way to obtain a Service Ticket from Kerberos in this scenario.
Thank you in advance.
I have both Client and Server implemented in java and we are using GSS and Kerberos on the client side for SSO. Is there a way to obtain a Service Ticket from Kerberos in this scenario.
Thank you in advance.
1983-...@gmx.net
Aug 14, 2012, 4:51:34 AM8/14/12
to
I ran into this issue too. I am a local admin with a domain account. I cannot obtain the TGT from LSA. Have a look at this ticket: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6722928
This is an intentional limitation under Windows. You have to use SSPI on Windows otherwise you have no chance.
My workaround was to call Java's kinit. What a pity.
Mike
0 new messages