[OpenAFS] UAC in Windows 7 prevents importing Kerberos TGT to NIM

[Jonathan Nilsson]

Hello,

I'm running Windows 7 Professional 64-bit, joined to an Active Directory domain
which is my Kerberos REALM for my OpenAFS cell. Everything works fine, but I
have recently noticed that when I login with a domain account, Network Identity
Manager does not seem to be automatically getting an AFS token. It just pops-up
a password prompt for my Kerberos "identity" as it calls it.

I did some searching and found this page in the NIM docs which seems to describe
my situation:

http://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config_k5.htm

which about half way down the page has this paragraph:

"On Windows Vista, Windows 7, and Windows Server 2008 the operating system does
not permit the importation of the Kerberos Ticket Granting Ticket if the active
user account is a member of the Administrators or Domain Administrators groups
and User Account Control (UAC) mode is active."

My domain account is a member of the local computer's Administrators group. Is
there any workaround besides completely disabling UAC?

In the mean time I removed my account from the local "Administrators" group, and
NIM works again.

-- 
Jonathan.Nilsson@uci.edu
Computing Services
School of Social Sciences
SSPA 4110 | 949.824.1536