Kerberos tickets and group membership

[Brian Nielsen]

Hello,

I'm not sure if this is the right forum to post this question in, but I'll
give it a try.


I have made a program which adds a user to a group, which is member of
Domain Admins, so that the user can create users and group policies.
This program is run when the user is logging on Windows 2000.

To force the group membership to be updated in the same logon session, I'm
resetting the kerberos tickets.

This have the consequences that I am able to create users in the domain.
But it also adds the following problems:

Problem 1:
What: Sometimes when I reset the tickets and wants to create new
group policies on a OU, the
button to create new group policies is enabled (In
Active Directory Users and Computers), but when I press
the button it returns and error saying "Access Denied".
It is only sometimes this happens, and after a while it
is working again.

Setup: The problem occurs only when there are configured 2 sites in
a native Windows 2000 domain, it does not
happen when there are only on Domain controller in the
domain.

Idea: I have seen on the net that 2 utilities for kerberos
exists, KInit.exe and KDestroy.exe for initializing and destroying the
kerberos setup.
Is it possible to download them anywhere to Windows 2000
?

Problem 2:
What: Resetting the kerberos tickets gives the user Domain admin
rights in the domain, but it does not give the user local administrator
rights,
so it cannot perform local system management on the
local workstation where it is logged on.

Does someone have an idea of what I can do to solve one or both of the
problems ?


Thanks in advance

/Brian Nielsen

 

[Matjaz Ladava [MVP]]

Don't know if I can answer your question, as I doubt that I understood it,
but why you are using scripts to enforce group membership, when you can use
Group Policies and set Restricted Groups and enforce group membership from
there ?

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Jack]

You've peaked my curiosity. Why on eart would you want to
do whatever it is you are doin?

-Jack

 

[Brian Nielsen]

The user accounts contains a property which specifies if the user should be
an administrator or not (a value added with schema changes).
It's first when the user logs on to a machine it can be determined whether
or not he should be an administrator in this session.

If it is possible to add the user to the "Restricted Group" policy when
logging on, then maybe the Group policy way could work, otherwise
I thinks Restricted Groups are too static... but I'm not 100% sure how
"Restricted groups" works.

/Brian

 

[MadDHatteR]

1. I'm not sure about those particular utilities, but here's a good outline
of what tools Microsoft offers:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

2. It sounds like the KRB_TGS_REP is sent/received, but the local SIDs are
not being added to the session key.
Alteratively, the KRB_TGS_REP is sent/received, the session key is rebuilt,
and the access token is not rebuilt.

The latter sounds like the more likely alternative, as the access token is
created at logon and inherited by all processes that user creates (or that
winlogon creates for that user). The only way I know of to generate a new
access token is with the RUNAS command. Maybe that gets you somewhere, but I
don't really see a way around #2.

\\ MadDHatteR

 

[Joe Richards [MVP]]

I agree it is the access token that is not being updated locally. Kerberos cert is only used for gaining access to
remote machines after the initial access token is built for the local session, you can not refresh that token without an
actual full authentication.

 

[Brian Nielsen]

Thanks for your answers, now I have something to work with

Is it possible to initiate the full authentication programmatically for the
local session without requiring the user to logon again ?

Q2
If the access token is not rebuilt, would I then be able to create domain
users or edit group policies? It seems like the problem goes away
when letting the sites have time to replicate (set to 15 minutes at the
moment), does the kerberos realm use
the standard intra-site replication mechanism when replicating kerboros
settings.

What I don't understand is the difference in creating a new a group policy
and creating domain users, to me it should be the same as it is
both domain wide changes ?

Hope you can help get a bit more clear picture of what is happening in the
depths of W2k.

/Brian Nielsen

I agree it is the access token that is not being updated locally. Kerberos

cert is only used for gaining access to

remote machines after the initial access token is built for the local

session, you can not refresh that token without an

 

[Joe Richards [MVP]]

Well a full authentication would be another logon. You can fire up a process and just do a new authentication on that
like previously mentioned like the runas. You could do that with CreateProcessAsUser or LogonUser and establish a
process with that token however these both will require the users password.

If you haven't made a connection to the DC that you are trying to create users on, you should have the new permissions
on it if the kerberos cert has been updated on your machine because once you make the connection (assuming it is handled
via kerberos instead of falling back to ntlm or worse) it should be with the new cert and you should have the
permissions at least as I understand it.

If you are seeing delays it would indicate to me either you really aren't touching the machines with kerberos or your
kerb cert isn't being updated.

Now after all of this, why in the world are you even attempting this? Most likely there is a much easier or better way
to handle what you think you need to do.

--
Joe Richards
www.joeware.net

 

[Brian Nielsen]

I know it is a hard and perhaps an impossible way.
The reason I'm doing it is, that I'm making an application at work, so if
you have any suggestions on how to make life easier for me, I would be
really happy

The situation is like this:
When a user logs on Windows 2000 it can choose between different
"right-profiles" to work as in the current session. One of these
"right-profiles" is System Administrator,
and if the user chooses this "right-profile" it must have rights to e.g.
make new group policies across sites but within a forest.

This means it is only at logon time, I can figure out, what rights the user
should have in this session.
If the user chooses a "right-profile" that has System Administrator rights,
I add the user to a group that is member of domain admins (this is done at
the server). Then I reseet the kerberos ticket (at the client).

The rights of the "right-profiles" can be changed through an administration
module, so many "right-profiles" can have System Administrator rights.
But it is only at logon time, it is determined what rights the user shall
have, not dynamic at runtime if the profile changes.

Is the only way to solve the problem, to write a new GINA ?

I'm only resetting the kerberos ticket cache (like using "klist purge") on
the client machine, is there anything else I should try reset/refresh ?
Can I reset the PAC or certificate ?

The steps I do to find the error are:
1. logon domain as normal user.
2. use LDAP query to add user to a group which is member of domain admins
3. reset kerberos ticket cache using "klist purge"
4. try create new group policy. (Button is enabled as if the user has
proper rights).
5. Message box "You do not have sufficient permissions" -> "Details: Access
is denied"
6. Wait some minutes and try again. Yes now I have permission to do it.
(perhaps it has something to do with replication of some data across sites
?)

OBS: The error is only found when the domain consists of minimum 2 sites.

When I got this errror I tried connecting to the other DC through Active
Directory Users and Computers, and tried to create a user on that one.
This I could, but I couldn't create a group policy on that DC either, the
same error message appeared.

Sorry about all these questions, but hope you can help anyway.

/Brian Nielsen

Well a full authentication would be another logon. You can fire up a

process and just do a new authentication on that

like previously mentioned like the runas. You could do that with

CreateProcessAsUser or LogonUser and establish a

process with that token however these both will require the users password.

If you haven't made a connection to the DC that you are trying to create

users on, you should have the new permissions

on it if the kerberos cert has been updated on your machine because once

you make the connection (assuming it is handled

via kerberos instead of falling back to ntlm or worse) it should be with

the new cert and you should have the

permissions at least as I understand it.

If you are seeing delays it would indicate to me either you really aren't

touching the machines with kerberos or your

kerb cert isn't being updated.

Now after all of this, why in the world are you even attempting this? Most

likely there is a much easier or better way