Kerberos tickets and group membership

  • Thread starter Thread starter Brian Nielsen
  • Start date Start date
B

Brian Nielsen

Hello,

I'm not sure if this is the right forum to post this question in, but I'll
give it a try.


I have made a program which adds a user to a group, which is member of
Domain Admins, so that the user can create users and group policies.
This program is run when the user is logging on Windows 2000.

To force the group membership to be updated in the same logon session, I'm
resetting the kerberos tickets.

This have the consequences that I am able to create users in the domain.
But it also adds the following problems:

Problem 1:
What: Sometimes when I reset the tickets and wants to create new
group policies on a OU, the
button to create new group policies is enabled (In
Active Directory Users and Computers), but when I press
the button it returns and error saying "Access Denied".
It is only sometimes this happens, and after a while it
is working again.

Setup: The problem occurs only when there are configured 2 sites in
a native Windows 2000 domain, it does not
happen when there are only on Domain controller in the
domain.

Idea: I have seen on the net that 2 utilities for kerberos
exists, KInit.exe and KDestroy.exe for initializing and destroying the
kerberos setup.
Is it possible to download them anywhere to Windows 2000
?

Problem 2:
What: Resetting the kerberos tickets gives the user Domain admin
rights in the domain, but it does not give the user local administrator
rights,
so it cannot perform local system management on the
local workstation where it is logged on.

Does someone have an idea of what I can do to solve one or both of the
problems ?


Thanks in advance

/Brian Nielsen
 
The two problems are most likely due to the way tokens are built on Windows
systems. After you get a Kerberos service ticket the system to which you are
authenticating builds a token. The token is persisted for sometime(usually
the lifetime of the application connection) . In the first case if you are
trying to communicate with a machine after resetting the service tickets
then your session key will no longer be valid. Thats why you are getting an
access denied.
In the second case as Keith mentions again even though your service tickets
are refreshed your existing token still does not contain the Domain admin
SID. You will have to log off and on to get a new token on the system with a
domain admin sid. When you authenticate to other machines however new tokens
will be built based on the new service ticket and so the new group
membership will be reflected. Tokens are built on the machine you are
authenticating to.
 
Back
Top