Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Klist issues with Windows 7

1,935 views

Skip to first unread message

Robert Schröder

unread,

Apr 12, 2011, 12:21:54 PM4/12/11

to kerb...@mit.edu

Hi there,

I'm working on a single-sign-on solution with kerberos for Windows 7.

I started to setup a virtual machine with integrated kerberos-login and a
modified logon.bat similar to our solution for Windows Xp clients.
In this batch we are trying to get the principal and the domain to map the
afs-drives.
On XP we are getting the principal by calling the %USERNAME%-variable, but
since Windows7 only returns the mapped user (in our case standarduser), I
figured that a simple solution should be to start klist.exe and read the
output to set the principal.
In my vm, the whole process works pretty fine, but after I tried to get my
solution to work with a real machine, I never get my tickets.

The console just returns something like this:

*Current LogonId is 0:0x1a38a
Cached Tickets: (0)*

If I try klist with the tgt value, I'm getting the following failure:

*Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket
substatus): 1312
*
*klist failed with 0x8009030e/-2146893042: No credentials are available in
the security package*

But if I start the cmd-console with administrator privileges, everything
works fine.
Windows won't let me to configure the klist-options to start it always as
administrator (actually I don't think that that would be a good idea
anyways)

So the question is, what am I doing wrong?
Is there something like an understanding problem on my side or did I just
found a bug?
Google couldn't find anything useful, so I'm trying to get your help :)

Thanks in advance.
Robert Schröder

Jeffrey Altman

unread,

Apr 12, 2011, 1:23:39 PM4/12/11

to kerb...@mit.edu

On 4/12/2011 12:21 PM, Robert Schröder wrote:
> The console just returns something like this:
>
> *Current LogonId is 0:0x1a38a
> Cached Tickets: (0)*
>
> If I try klist with the tgt value, I'm getting the following failure:
>
> *Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket
> substatus): 1312
> *
> *klist failed with 0x8009030e/-2146893042: No credentials are available in
> the security package*
>
> But if I start the cmd-console with administrator privileges, everything
> works fine.

You cannot access the LSA ticket store under User Account Control (UAC)
restricted processes. If you were able to read the TGT, you could
bypass the process restrictions without the user being prompted.

UAC applies to any account that is not the Local Administrator account
that is added to the Administrators Group.

Jeffrey Altman

signature.asc

0 new messages