When installed in a typical Vista environment, Bear Access and the SALSA infrastructure do not behave the same way as they did under Windows XP.  Because of the increased security measures in Vista, even users logged in as an Administrator do not have Read/Write privileges to the C:\Program Files or the C:\Windows folder structures. As a result, SALSA and Bear Access behave much like they do for a Restricted User running in Windows XP.

This document will help you choose a method to use if you plan to run SALSA and the Bear Access clients under Windows Vista. Please be aware that SALSA may not work after the Kerberos 4 to Kerberos 5 migration is completed in 2008. There are three alternatives presented which have increasing levels of risks as you proceed down the list of choices. In all three cases, it is assumed that you are running as an Administrator and therefore could respond to UAC requests to elevate your privileges. If you are not an Administrator then even with these changes you won't be able to update an installer based service that needs Administrative privileges, but you will be notified that an update exists and the installer can be downloaded.

If you have any questions or would like to provide additional tips, please feel free to send e-mail to ba-feedback-l@cornell.edu

 

Install and run without Updates (Similar to Windows XP restricted User)

The following steps will allow you to run Bear Access on a daily basis after initially using the Administrator account to install, update and configure Bear Access clients. This provides only a minimal level of support for SALSA but preserves the new security model in Vista. You can still launch applications using the Bear Access channel in uPortal.Cornell but automatic updates will not be available.

Administrator Processing

1. Run the Bear Access installer (setup.exe)
2. After installing Bear Access, launch Runway (Start->Programs->Bear Access->Bear Access via Runway) by right-clicking and selecting Run as Administrator.
3. Click on each service to ensure that it is up to date.
4. After all services have been selected, turn off updating (Edit->Salsa Preferences) and close Runway.
5. Reboot the computer to clear any applications that are executing as an Administrator.

User Processing

1. After restarting, select Bear Access via uPortal.Cornell (Start->Programs->Bear Access->Bear Access via uPortal.Cornell) then click on services as you normally would.
2. The first time you click on a service based on SALSA, you will see a security warning that Agent Harry, the Bear Access helper application, is trying to run (see illustration).
3. Select "Do not show me the warning for this program again" and click Allow. Subsequent uPortal.Cornell SALSA requests will happen silently as they do under Windows XP.

Update Processing

If you need to install an application at a later date or you were notified that an existing application needs to be updated, you need to follow these steps:

1. Launch Runway (Start->Programs->Bear Access->Bear Access via Runway) by right-clicking and selecting Run as Administrator.
2. Turn on Updating (Edit->Salsa Preferences)
3. Click on the new service or the service that needs updating and let SALSA install or update the software
4. Launch the service to ensure that all components have been installed and configured.
5. Turn off updating (Edit->Salsa Preferences) and close Runway
6. Reboot the computer to clear any applications that are executing as an Administrator.

 

Grant Folder Access (Similar to Windows XP Power User)

The second way to access the Bear Access clients while running Vista offers the ability to update services while still preserving most of the new security features found in Vista. In order for Bear Access to be able to update client software, users will need to have R/W (Full Control) access to the following folders (and sub-folders) after running the Bear Access installer.

Folder (create any missing folders)	Contents
C:\Windows\ProjectSalsa	SALSA preferences and services information
C:\Program Files\Project Salsa	Symantec's Java Runtime libraries and Runway (Runway.ini)
C:\Program Files\CU Services	Many of the Java applications and JREs
C:\Program Files\Bear Access	Bear Access clients and download location for installers
C:\Windows\JCUlib	Some older Java applications and JREs

The following folder is optional but if it is not writeable and an update requires a restart because one or more file(s) were being used when SALSA attempted to update them, the update will not be completed because access to vcsrenam.ini is restricted. This should not be a big problem with client software since it is unlikely that a user would be running another copy at the same time that an update is provided, but it could happen.

Folder	Contents
C:\Windows	Kerberos and Sidecar routines; also used to handle delayed renaming of active files following a restart.

You can change permissions either through the security tab in the folder properties or using the Vista icacls command.
(ex: icacls "%windir%\ProjectSalsa" /T /grant "%username%":F)

 

Run as Administrator (Similar to Windows XP Administrator)

The third possible way to access the Bear Access clients while running Vista is to launch Runway or your browser as an Administrator. Running in this manner bypasses many of the new security features found in Vista because any application that you launch from Runway that browser is also running as in the context of an Administrator. As an Administrator, if an installer is launched, you will not receive the UAC prompt to elevate your privilege level because the installer was launched as an Administrator. Similarly, if you opened a rogue web site using an instance of Internet Explorer that was spawned as a result of being launched by Runway that site could potentially download and install software similar to what could have been done in Windows XP.

Return to the Bear Access home page

Help with Bear Access: helpdesk@cornell.edu
Comments/suggestions about Bear Access: ba-feedback-l@cornell.edu
Last Modified: March 27, 2007