[OpenAFS] UAC in Windows 7 prevents importing Kerberos TGT to NIM

Erik Dalén erik.dalen@mensa.se
Mon, 11 Apr 2011 10:51:00 +0200


On Tue, Apr 5, 2011 at 23:07, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> You have two choices.  Disable UAC or stop using an account that is =
a
> member of the Administrators Group for day to day operations.  I wou=
ld
> choose the latter.
>
> Jeffrey Altman
>
>
> On 4/5/2011 4:51 PM, Jonathan Nilsson wrote:
>> Hello,
>>
>> I'm running Windows 7 Professional 64-bit, joined to an Active Directory=
 domain
>> which is my Kerberos REALM for my OpenAFS cell. Everything works fine, b=
ut I
>> have recently noticed that when I login with a domain account, Network I=
dentity
>> Manager does not seem to be automatically getting an AFS token. It just =
pops-up
>> a password prompt for my Kerberos "identity" as it calls it.
>>
>> I did some searching and found this page in the NIM docs which seems to =
describe
>> my situation:
>>
>> http://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config_k5=
.htm
>>
>> which about half way down the page has this paragraph:
>>
>> "On Windows Vista, Windows 7, and Windows Server 2008 the operating syst=
em does
>> not permit the importation of the Kerberos Ticket Granting Ticket if the=
 active
>> user account is a member of the Administrators or Domain Administrators =
groups
>> and User Account Control (UAC) mode is active."
>>
>> My domain account is a member of the local computer's Administrators gro=
up. Is
>> there any workaround besides completely disabling UAC?
>>
>> In the mean time I removed my account from the local "Administrators" gr=
oup, and
>> NIM works again.
>>
>
>

Would it be possible to do the import but with an UAC prompt?

-- 
Erik Dalén