- Due to a compatibility issue with MIT Kerberos for Windows and the UAC, the UAC is disabled by default in win.mit.edu to avoid having users receive errors while trying to access SAP instances.
- The following fix allows users to access SAP via Microsoft Kerberos functionality built into the OS instead of MIT’s Kerberos for Windows. Once this fix is in place the UAC can be enabled in the case where MIT’s Kerberos for Windows was only used for access to SAP.
- This is due to an issue with MIT Kerberos and Windows. By using Microsoft Kerberos this issue is bypassed. Please note this issue should only be used to resolve issues with SAP as other applications may need MIT Kerberos. Other applications can continue to use the Kerberos for Windows software.
- This fix is applied via a group policy object and must be performed by an IT technician with the appropriate permissions to the GPO.
- Applying this fix allows user account control to be enabled on computers.
Individual computer change procedures:
- Environment Variables are located under Advanced system settings. This can be accessed through System within Control Panel
- Edit the System Variable SNC_LIB to C:\Program Files\MIT\Mirror\Distrib\gsskrb5.dll
Group Policy change procedures:
- Access the related Organization Unit GPO through Group Policy Management Console. This is done through Citrix under the WIN Container Admin Tools. https://citrixapps.mit.edu/Citrix/XenApp/auth/login.aspx
Once you locate your related GPO right click and select edit
- Navigate to User Configuration/Preferences/Windows Settings/Environment
- Add a new system variable using the Replace action named SNC_LIB with the value C:\Program Files\MIT\Mirror\Distrib\gsskrb5.dll
Additionally you'll want to change some settings that resolve the issue of Kerberos tickets breaking when a computer goes to sleep. Changing these settings will require a user to logon with a password every time wake from sleep. Go to the GPO right click and select edit
IN GPMC, browse to: