User Account Control (UAC) is a feature new to Windows Vista and Windows Server 2008 that is designed to help protect Windows-based systems against processes running with administrative permissions. It’s a great idea, but the implementation is, in my humble opinion, a bit flawed.
Here’s a great example. In working on interoperability and integration documentation for Windows Server 2008, I came across a problem that prevents you from using Samba to join Linux or UNIX systems to Active Directory for the purpose of centralizing authentication to those systems (more information available in this article). OK, no big deal; we’ve done it before with ktpass.exe, right? We’ll just drop back to using ktpass.exe and do it “old schoolâ€.
Here’s the output from ktpass.exe when running on a Windows Server 2008-based server with UAC enabled:
C:\>ktpass.exe -princ HOST/vsxsoltest01.vmwarelab.net@ADNG.VMWARELAB.NET
-mapuser ADNG\VSXSOLTEST01$ -crypto all -pass Password123
-ptype KRB5_NT_PRINCIPAL -out c:\vsxsoltest01.keytab
Targeting domain controller: vswdcng02.adng.vmwarelab.net
Using legacy password setting method
Failed to set property “servicePrincipalName†to
“HOST/vsxsoltest01.vmwarelab.net†on Dn
“CN=VSXSOLTEST01,CN=Computers,DC=adng,DC=vmwarelab,DC=netâ€: 0×32.
WARNING: Unable to set SPN mapping data.
If VSXSOLTEST01$ already has an SPN mapping installed for
HOST/vsxsoltest01.vmwarelab.net, this is no cause for concern.
WARNING: Account VSXSOLTEST01$ is not a user account (uacflags=0×1021).
WARNING: Resetting VSXSOLTEST01$’s password may cause
authentication problems if VSXSOLTEST01$ is being used as a server.
Reset VSXSOLTEST01$’s password [y/n]? y
Aborted.
This is running as an account that is not the built-in Administrator account, but is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.
Take that same command and run it on the same server after disabling UAC, and it runs just fine. No errors, no warnings, no problems. Clearly, UAC is interfering with ktpass.exe.
If you have a need to integrate Linux and/or UNIX systems into Active Directory for authentication, keep this in mind: you’ll need to disable UAC (and reboot the server) before you can use ktpass.exe to map service principals onto accounts.
Tags: ActiveDirectory, Microsoft, Security, Windows
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2007/07/09/uac-and-ktpassexe/trackback/
Tuesday, December 11, 2007 at 2:23 pm
Ian
Scott,
Excellent blog! I’m a CLI kind of guy myself, and this UAC limitation perpetually ticked me off as well. However, I found out that you can get a CLI shell with admin rights, but you need to use the GUI to get it. Click the start button, then SHIFT-Rclick the “Command prompt” icon. It should give you a “Run as Administrator” option. When you select that, you’ll get the UAC prompt, but once you OK that, you’ll get a CLI that runs as the built-in Administrator account. It’s the only way I’ve seen so far on a Vista box to get a privledged CLI.
V/R,
Ian
Tuesday, December 11, 2007 at 6:43 pm
slowe
Ian,
Thanks for the tip! I’ll be sure to use this tip in the future. Keep reading!