69c2872dbd
Provide a new internal function called get_switched() to encapsulate the algorithm for selecting a credential cache when the selected ccache type supports switching. There is no change in behavior for UNIX which always calls krb5_cc_new_unique(). However, on Windows alternate behavior is provided when the ccache type is API or MSLSA. For the API ccache the default ccache name is stored in the Windows registry which is shared across all logon sessions belonging to a user. For users that are members of the Administrators group this includes both the UAC restricted and elevated sessions sharing the same desktop. It is very disconcerting when the elevated session obtains credentials for the same client principal as the restricted session and then all apps in the restricted session lose access to their credential cache. For Windows, the API credential caches are named after the principal that is stored within them. It provides for a better end user experience. For the MSLSA ccache tickets belonging to multiple principals are all stored within the MSLSA ccache. As a result, all attempts to switch ccache names default back to the one and only one name. Change-Id: I7865cd044cff01ff38ab107ec0961e42788fa073
Heimdal is a Kerberos 5 implementation. For information how to install see <http://www.h5l.org/compile.html>. There are briefer man pages for most of the commands. Bug reports and bugs are appreciated, see more under Bug reports in the manual on how we prefer them: <heimdal-bugs@h5l.org>. For more information see the web-page at <http://www.h5l.org/> or the mailing lists: heimdal-announce@sics.se low-volume announcement heimdal-discuss@sics.se high-volume discussion send a mail to heimdal-announce-request@sics.se and heimdal-discuss-request@sics.se respectively to subscribe.