" Kerberos for Windows 3.2.2 Release Notes 22 October 2007 Table of Contents * [1]Overview * [2]What's New in KfW 3.2.2 * [3]System * [4]Installation and * [5]Binaries * [6]Locating * [7]Kerberos 5 * [8]Kerberos 4 * [9]Modifying * [10]Kerberos 5 * [11]Kerberos 4 * [12]Using DNS * [13]Services * [14]Ticket * [15]Date and Time * [16]Command Line * [17]netidmgr.exe * [18]kinit.exe * [19]klist.exe * [20]kdestroy.exe * [21]Building from Sources * [22]Notes on the * [23]Leashw32 API * [24]Registry and * [25]Integration with * [26]GSS Sample * [27]Known Issues * [28]Release History * [29]To Do * [30]Developer * [31]Some older _________________________________________________________________ Overview MIT Kerberos for Windows (KfW) is an integrated [32]Kerberos release for Microsoft Windows operating systems. It includes Kerberos v4 library, Kerberos v5 library version 1.6.3, Kerberos v5 API library, Network Identity kinit/klist/kdestroy/krb524init/ms2mit/mit2ms credentials managers, and an in-memory credentials cache. Terminology Kerberos v4 (also Kerberos 4 or Kerberos version (also Kerberos 5 or Kerberos version 5) refer to of the Kerberos protocol. A protocol is a specification for how data is transmitted on a network. Kerberos credentials and Kerberos _________________________________________________________________ What's New in Kerberos for Windows 3.2.2 * Network Identity Manager Application * Always raise NetIdMgr window to foreground prompting for new credentials. * Password entry field now accepts 1024 * Add --show and --hide command line options. * Add View->All Identities menu item. * Add Set Default menu item to notification * Replace usage text with command-line option * Defines a new color schema. Color from the user's desktop theme. * Notification icon reflects status of the instead of all identities. * Add default identity information to * Fix resource leaks; erroneous return codes. * Correct behavior when new identity already restored. * Correctly position context menus when opened * Correct selected identity display problems. * Correctly position New Credentials dialog. * Correct various race conditions and resulted in the display not being updated. * Correct column resizing problems. * Correct configuration cleanup problems. * Eliminate deadlock conditions. * Improve response to external registry * FILE: ccache performance improvements. * "Unable to load" errors are no longer plug-ins. * Kerberos v5 identity provider dialog horizontal scrolling. * Credential Cache API changes * The CCAPI implementation is now Server. * Kerberos v5 Library Improvements * Based on [33]MIT release 1.6.3. * MSLSA: ccache properly translates Unicode strings to the ANSI character set. * krb5_get_profile() is exported from krb5_32.dll. * Installer Changes * Fix problems uninstalling older * Remove the registration requirement for installations when using the MSI installer. * MSVC DLLs include DST 2007 changes. * Build system changes * NIM Schema files can now support external * Add static ordinals to DLL exports. * krbcc credential cache api implementation can now be compiled with * Enable builds on 64 bit Windows. * NIM API version is now 10. _________________________________________________________________ System Operating System Kerberos for Windows 3.2 is designed for 32-bit 2000, XP, 2003, 2003 R2, Vista and WOW64 64-bit Windows XP, 2003, and Vista applications are not being distributed as part of this release. Microsoft Redistributable DLLs The following versions or newer of several freely Microsoft DLLs are required depending on the compiler release used to build the distribution. The MIT distribution is using the Microsoft Visual Studio .NET 2003 SP1 C/C++ compiler: Filename Version Description * mfc71.dll 7.10.3077.0 MSVS.NET 2003 * msvcr71.dll 7.10.3031.4 MSVS.NET 2003 * msvcp71.dll 7.10.3077.0 MSVS.NET 2003 * psapi.dll 4.0.1198.1 Process Status The KfW Installer will asterisk. To see what Microsoft products ship with which DLLs, you can use the [34]DLL Help Database. If you are not using the installer and you are DLLs, you can download the Microsoft Redistributable component from the [35]MIT Kerberos install each missing Note: psapi.dll is also available by itself from the [36]Microsoft Download Center. _________________________________________________________________ Installation and Binaries Core Binaries Filename Description krbv4w32.dll Kerberos 4 krbcc32.dll Kerberos used by Kerberos 5 for in-memory krbcc32s.exe Kerberos kclnt32.dll KClient library -- required by some Kerberos (deprecated) krb5_32.dll Kerberos 5 krb524.dll Kerberos 524 leashw32.dll Exports Ticket registry get/set/reset functions for (Used by third party applications.) xpprof32.dll Kerberos 5 comerr32.dll Kerberos 5 Common Leash32.exe) gssapi32.dll GSS API for wshelp32.dll Winsock helper kinit.exe command-line app klist.exe command-line app kdestroy.exe command-line app k524init.exe command-line app credentials instead of a ms2mit.exe command-line app to transfer Microsoft Kerberos credentials into the MIT Kerberos v5 credentials cache. mit2ms.exe command-line app to transfer MIT Kerberos v5 contents to the Microsoft Kerberos LSA credentials application can be used on Microsoft Vista. kvno.exe command-line app used to obtain one or more report the associated key version numbers. This tool is for testing the ability to obtain a service ticket via a TGT in an specific enc-type. kcpytkt.exe command-line app used to copy a specific ticket caches. kdeltkt.exe command-line app used to delete a specific ticket cache. Network Identity Manager Binaries netidmgr.exe Network Identity Manager main executable. krb4cred.dll Provides information to Windows about which versions of libraries should be associated with netidmgr.exe. krb4cred_en_us.dll Kerberos 4 credentials provider plug-in. krb5cred.dll English (US) language resources for the Kerberos 4 credentials provider. krb5cred_en_us.dll Kerberos 5 credentials provider and identity provider plug-in. nidmgr32.dll English (US) language resources for the Kerberos 5 credentials provider. It is recommended that all binaries be installed directory in the user's PATH. Make sure that you do not have other Kerberos binaries in your PATH. The default location is "%ProgramFiles%\MIT\Kerberos\bin". Locating Kerberos The simplest configuration is to put the krb5.ini, krb.con, and krbrealm.con configuration files in the Windows directory (or same directory as the Kerberos DLLs). The NSIS and WIX installers search for configuration files only in the Windows directory. Kerberos Kerberos 5 needs a single configuration file: it in the Windows directory as the DLL; setting the KRB5_CONFIG environment variable. Kerberos Kerberos 4 needs two configuration files, and krbrealm.con. You can put these files in the same directory as the DLL KRB4_KRB.REALMS or can set KRB4_CONFIG to force Kerberos 4 to look particular directory. If you do none of these, this is Kerberos 4 will search: 3. %NDIR%\kerb\ 4. The current directory 5. The Windows directory 6. The Windows system directory 7. The directory containing the executable file for task 8. The directories in the path ([37]*) 9. The list of directories mapped in a network 10. %NDIR%\ 11. %ETC%\ (*) Note: If you put of the search is what will take you config file earlier in the search, that will take careful. Modifying Kerberos IMPORTANT: The Network Identity Manager Kerberos 5 and Kerberos 4 configuration files. NetIDMgr enforces a requirement that the Realm, KDC, and is equivalent for both Kerberos 4 and Kerberos true for your Realms, you should not use NetIDMgr to manage the configuration files. Instead Kerberos See the [38]krb5.conf [39](MIT website)section in the [40]Kerberos v5 System Administrator's Guide Kerberos It is anticipated that most sites using Kerberos Windows also will have an existing UNIX Kerberos infrastructure. For that reason, the format of the krb.con is identical to the UNIX krb.conf and the format of krbrealm.con identical to the UNIX krb.realms. For many users, the easiest way to configure these files corresponding files from a properly configured. The krb.con file contains configuration information Kerberos realm and the Kerberos key distribution center (KDC) servers krb.con contains the name of the local realm in the followed by lines indicating realm/host entries. The first token is a realm name, and the second is a hostname of a host running a KDC for that hostname indicate that the host also provides an administrative database server which is contacted when changing a user's password. For ATHENA.MIT.EDU ATHENA.MIT.EDU kerberos.mit.edu admin server ATHENA.MIT.EDU kerberos-1.mit.edu ATHENA.MIT.EDU kerberos-2.mit.edu LCS.MIT.EDU kerberos.lcs.mit.edu admin server If this were your krb.con file and you wanted to change the default local CIT.CORNELL.EDU CIT.CORNELL.EDU kerberos.cit.cornell.edu admin server ATHENA.MIT.EDU kerberos.mit.edu admin server ATHENA.MIT.EDU kerberos-1.mit.edu ATHENA.MIT.EDU kerberos-2.mit.edu LCS.MIT.EDU kerberos.lcs.mit.edu admin server The krbrealm.con file is the host-to-Kerberos realm translation file. This provides a translation from a local hostname to the Kerberos realm name for the services provided by that host. Each line of the translation file is in one the (domain_name should be of the form .XXX.YYY, e.g., .LCS.MIT.EDU): host_name kerberos_realm domain_name kerberos_realm If a hostname exactly matches the host_name field in a line of the first form, the a hostname does not match any host_name in the file, but its domain exactly matches the domain_name field in a line of the second form, the If no translation to be the hostname's domain portion Using DNS Lookups for Kerberos What is it? DNS lookups provide Kerberos the ability to Realm that a host belongs to and to find the servers with a given Realm by using the Domain Name Service instead of or in When are DNS Lookups used? DNS lookups are used in either of these two * No krb.con file is found for Kerberos 4 or no krb5.ini file is found for Kerberos 5. * The krb.con file or krb5.ini file contains a command to activate DNS Lookups and the lookup found in the appropriate configuration file. To activate DNS lookups for Kerberos 4 when the krb.con file is present, add the following line to the entry (usually to the end): .KERBEROS.OPTION. dns When DNS lookups are used, the first line in the krb.con file (which would contain the default realm) may that the default realm should be determined by a DNS To activate DNS lookups for Kerberos 5 when the present, place: dns_lookup_kdc = true dns_lookup_realm = true into the [libdefaults] section. If a "default_realm" entry is not provided, a DNS lookup will be performed to realm. What entries go into the DNS? Host to realm lookups are performed using DNS TXT records are: _kerberos.yclept.kermit.columbia.edu. IN TXT "KRB5.COLUMBIA.EDU" _kerberos.columbia.edu.   IN TXT "CC.COLUMBIA.EDU" Realm to server lookups records _kerberos._udp.KRB5.COLUMBIA.EDU. IN SRV 0 0 88 yclept.kermit.columbia.edu _kerberos._tcp.KRB5.COLUMBIA.EDU. IN SRV 0 0 0 . _krb524._udp.KRB5.COLUMBIA.EDU.   IN SRV 0 0 4444 yclept.kermit.columbia.edu _kerberos-iv._udp.KRB5.COLUMBIA.EDU. IN SRV 0 0 750 yclept.kermit.columbia.edu _kerberos-adm._tcp.KRB5.COLUMBIA.EDU IN SRV 0 0 749 yclept.kermit.columbia.edu _kpasswd._udp.KRB5.COLUMBIA.EDU   IN SRV 0 0 464 yclept.kermit.columbia.edu A DNS SRV record which specifies a port of "0" indicates that the requested service is not available in requested realm. Services The Kerberos DLLs need to know what port to use Kerberos server. Kerberos 4 now defaults to ports 750 (kerberos 750/udp kdc) and 751 kerberos or kerberos-master Kerberos 5 also has proper defaults (port 88 in case the services file is missing the entries for kerberos and kerberos-sec. If your site uses non-standard ports, you will file appropriate for your site. Ticket Cache The default for both Kerberos 4 and 5 is to store memory. You can specify the name of the ticket file and which it is stored via the environment variables KRBTKFILE (krb4) and KRB5CCNAME (krb5). The krb4 credentials are always stored in memory. In front of the name. There are also registry settings for these Leash will reveal where they are (look in HKCU\Software\MIT\Kerberos4 and Kerberos5). You can set machine-wide values by playing with Kerberos 5 does support using file-based tickets, not recommend, as they Date and Time Issues Kerberos authentication uses time stamps as part When the clocks of the Kerberos server and your computer far out of synchronization, you cannot authenticate Both the Kerberos server and the Kerberos client depend on having clocks that is normally 5 The date and time on the machine running Kerberos "accurately" set. If the date or time is off "too far", Kerberos authentication will not work. You can synchronize your clock using Leash32. It the name of the host to which you will synchronize. It saves information in the registry (under HKCU\Software\MIT\Leash32 -- you By default, the server that the libraries contact the time is time. The domain name has been left off on purpose. If local system within the local domain the default. If local system administrators are opposed to reason, you can edit the resource LSH_TIME_HOST in the leashw32.dll to the name appropriate for your local site. You can also the header files from the source distribution and recompile for your local tweak the registry You can also avoid this problem by running a configured, NTP program on your machine. _________________________________________________________________ Command Line netidmgr The command line options for netidmgr are: --kinit, -i only perform a kinit and then exit --import, -m only perform a ms2mit import and then exit --renew, -r ; only perform a credential renewal and then exit --destroy, -d only perform a kdestroy and then exit --autoinit, -a perform a kinit if credential cache is empty --minimized start netidmgr in minimized mode --show   unhide the Network Identity Manager window --hide   hide the Network Identity Maganer window --exit, -x ; shutdown any running instance of netidmgr kinit Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F | --forwardable | --noforwardable] [-p | -P | --proxiable | --noproxiable] [-A | --addresses | --noaddresses] [-v] [-R] [-k [-t keytab_file]] [-c cachename] [-S service_name] [principal] options:   valid with Kerberos: -5 Kerberos 5 (available) -4 Kerberos 4 (available) (Default behavior is to try Kerberos 5) -V verbose     Either 4 or 5 -l lifetime ; Either 4 or 5 -s start time     5 -r renewable lifetime ; 5 -f forwardable       5 -F not forwardable     5 -p proxiable     5 -P not proxiable   ; 5 -A do not include addresses   5 -v validate   ; 5 -R renew       5, or both 5 and 4 -k use keytab       5, or both 5 and 4 -t filename of keytab to use   5, or both 5 and 4 -c Kerberos 5 cache name     5 -S service     5, or both 5 and 4 klist Usage: klist.exe [-5] [-4] [-e] [[-c] [-C] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -5 Kerberos 5 (available) -4 Kerberos 4 (available)   (Default is Kerberos 5) -c specifies credentials cache -C enumerates all credentials caches -k specifies keytab   (Default is credentials cache) -e shows the encryption type options for credential caches:   -f shows credentials flags   -s sets exit status based on valid tgt existence   -a displays the address list   ; -n do not reverse-resolve options for keytabs:   -t shows keytab entry timestamps   -K shows keytab entry DES keys kdestroy Usage: kdestroy.exe [-5] [-4] [-q] [-c cache_name] -5 Kerberos 5 (available) -4 Kerberos 4 (available)   (Default is Kerberos 5 and Kerberos 4) -q quiet mode -c specify name of credentials cache _________________________________________________________________ Building from Sources Building KfW is supported on Windows 2000, Windows XP, and Windows Vista. First, make sure that you have a Microsoft Visual Visual Studio 2005 compiler, a recent release of the [42]Microsoft Platform SDK (XP SP2 SDK is desired, the NTSecAPI.H file from the Vista SDK must be used in place of are to be supported), [43]ActiveState Perl (build 820 is known to work), [44]doxygen, sed, gawk, cat, sed, gawk, cat, sure that your before the Microsoft installed so that .pl files are You will so that the Makefiles work properly. Note that all KFW optional component. Rebuilding from sources is not required in order to debug KFW as packaged by MIT. A script to build, sign and package all the KfW distribution components is provided. To * Unzip the KfW source zip * cd to * Make sure the environment is set up as bkw-automation.html * Run "bkw.pl /config bkwconfig.xml" See the usage (bkw.pl /?) and for more details. _________________________________________________________________ Notes on the The Kerberos for Windows Scriptable Installation System Version the installer script are included as part of the KfW SDK component. These include: Edit File Description N kfw.nsi Top level install N kfw-fixed.nsi script containing kfw install functions N utils.nsi script containing installers Y site-local.nsi script containing distribution was compiled and where found N KfWConfigPage.ini page layout N KfWConfigPage2.ini page layout N licenses.rtf Kerberos 5 and N kfw.ico Kerberos for N killer.cpp Source code to during uninstall To build an installer the site-local.nsi file must be modified to specify the appropriate installer you wish to build. Name Default Value Description KFW_TARGETDIR path to directory lib\i386, doc, inc, install) where KFW_CONFIG_DIR path to directory krbrealm.con) to be bundled with installer KFW_MAJORVERSION 3 Major Version KFW_MINORVERSION 2 Minor Version KFW_PATCHLEVEL 0002 Four digit patchlevel of the installed files SAMPLE_CONFIG_REALM ATHENA.MIT.EDU Default realm HTTP_CONFIG_URL Default URL for must define one CL_1200 Indicator that CL_1300 Indicator that CL_1310 Indicator that CL_1400 Indicator that define at most if neither are specified, a time release versions of the runtime components. RELEASE Indicates that a includes release versions DEBUG Indicates that a includes debug versions of optional BETA A numeric beta To build an installer * cl.exe killer.cpp advapi32.lib * "%PROGRAMFILES%\nsis\makensis.exe" kfw.nsi It is worth noting that the distributed installer was built from the modifications to the NSIS\Source\exehead\config.h file: * NSIS_MAX_STRLEN is defined to be 4096 to support very long PATH environment variables * NSIS_CONFIG_LOG is defined * NSIS_CONFIG_LOG_ODS is defined The installer constructs the maintaining version and module specific Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos Class Name: Last Write Time: 1/15/2004 - 9:59 PM Value 0 Name: InstallDir Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 1 Name: Installer Language Type: REG_SZ Data: 1033 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Client Class Name: Last Write Time: 1/31/2004 - 3:47 AM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Client\3.2.2 Class Name: Last Write Time: 1/31/2004 - 3:47 AM Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 Value 8 Name: AllowTGTSessionKeyBackup Type: REG_DWORD Data: 0x1 Value 9 Name: AllowTGTSessionKeyBackupXP Type: REG_DWORD Data: 0x1 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Client\CurrentVersion Class Name: Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Documentation Class Name: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Documentation\3.2.2 Class Name: Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\Documentation\CurrentVersion Class Name: Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\SDK Class Name: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\SDK\3.2.2 Class Name: Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\MIT\Kerberos\SDK\CurrentVersion Class Name: Value 0 Name: VersionString Type: REG_SZ Data: 3.2.2 Value 1 Name: Title Type: REG_SZ Data: KfW Value 2 Name: Description Type: REG_SZ Data: Kerberos for Windows Value 3 Name: PathName Type: REG_SZ Data: C:\Program Files\MIT\Kerberos Value 4 Name: Software Type Type: REG_SZ Data: Authentication Value 5 Name: MajorVersion Type: REG_DWORD Data: 0x3 Value 6 Name: MinorVersion Type: REG_DWORD Data: 0x2 Value 7 Name: PatchLevel Type: REG_DWORD Data: 0x2 _________________________________________________________________ Known Issues * The Kerberos Credentials Cache implementation locking across calls. Each call is atomic, however. * If the krbcc32s LRPC server process is ever another process is supposed to have a valid handle to it, the other story is: do not kill around (e.g., if Leash is running). In should never have to kill krbcc32s. * If writing a server that uses Kerberos and Kerberos Credentials Cache as opposed to the Kerberos v5 file credentials cache (FILE:), please read the [47]krbcc32 Architecture documentation. (krbcc32 Architecture link works only if this is the Leashw32 API The list of functions used by third party developers is specified made to ensure that these functions will remain compatible in future releases. However, no effort is made to ensure that subsequent releases of Leashw32.dll will maintain consistent entry functions is located in pismere/athena/auth/leash/include/leashwin.h or in the SDK at inc/leash/leashwin.h. Leash_kinit_dlg Leash_kinit_dlg_ex Leash_changepwd_dlg Leash_changepwd_dlg_ex Leash_kinit Leash_kinit_ex Leash_kdestroy Leash_klist Leash_checkpwd Leash_changepwd Leash_import Leash_importable Leash_renew Leash_reset_defaults Leash_timesync Leash_get_default_lifetime Leash_set_default_lifetime Leash_reset_default_lifetim Leash_get_default_renew_till Leash_set_default_renew_till Leash_reset_default_renew_till Leash_get_default_forwardable Leash_set_default_forwardable Leash_reset_default_forwardable Leash_get_default_renewable Leash_set_default_renewable Leash_reset_default_renewable Leash_get_default_noaddresses Leash_set_default_noaddresses Leash_reset_default_noaddresses Leash_get_default_proxiable Leash_set_default_proxiable Leash_reset_default_proxiable Leash_get_default_publicip Leash_reset_default_publicip Leash_get_default_use_krb4 Leash_set_default_use_krb4 Leash_reset_default_use_krb4 Leash_get_default_life_min Leash_set_default_life_min Leash_reset_default_life_min Leash_get_default_life_max Leash_set_default_life_max Leash_reset_default_life_max Leash_get_default_renew_min Leash_set_default_renew_min Leash_reset_default_renew_min Leash_get_default_renew_max Leash_set_default_renew_max Leash_reset_default_renew_max Leash_get_lock_file_locations Leash_set_lock_file_locations Leash_reset_lock_file_locations Leash_get_default_uppercaserealm Leash_set_default_uppercaserealm Leash_reset_default_uppercaserealm Leash_get_default_mslsa_import Leash_set_default_mslsa_import Leash_reset_default_mslsa_import Leash_get_default_preserve_kinit_settings Leash_set_default_preserve_kinit_settings Leash_reset_default_preserve_kinit_settings Leash_get_lsh_errno initialize_lsh_error_table lsh_com_err_proc Leash_initialize_krb_error_func Leash_initialize_kadm_error_table Leash_krb_err_func Leash_load_com_err_callback Leash_set_help_file Leash_get_help_file Registry and Network Identity Manager Configuration options for Network Identity stored in the Windows registry. Each user registry hive or the machine registry hive or value defined in the user hive always overrides the value defined in the machine registry hive. All registry keys used by NetIDMgr exist under the key Software\MIT\NetIDMgr under the user and machine hive. Common settings for NetIDMgr The following sections describe a partial list of be specified for NetIDMgr. as a set of registry values. Each section is registry key under which the values of that section must be specified. General settings Registry key: 'Software\MIT\NetIDMgr\CredWindow' -------------- Value : AutoInit Type : DWORD (0 or 1) Default : 0 If this value is '1', shows the new credentials dialog if there are no credentials when NetIDMgr starts. Value : AutoImport Type : DWORD (0 or 1) Default : 1 If '1', imports credentials from the Windows LSA cache when NetIDMgr starts. Value : AutoDetectNet Type : DWORD (0 or 1) Default : 1 If '1', automatically detects network connectivity changes. Network connectivity change notifications are then sent out to individual plug-ins which can perform actions such as renewing credentials or obtaining new credentials. Value : DestroyCredsOnExit Type : DWORD (0 or 1) Default : 0 If '1', all credentials will be destroyed when NetIDMgr exits. Value : HideWatermark Type : DWORD (0 or 1) Default : 0 If '1', the Network Identity Manager watermark logo will not be displayed in the application window. Value : KeepRunning Type : DWORD (0 or 1) Default : 1 If '1', when NetIDMgr application is closed, it will continue to run in the Windows System Notification Area (System Tray). The application can be exited by choosing the 'Exit' menu option. If '0', closing the application will cause it to exit completely. Common Plug-in Registry key: 'Software\MIT\NetIDMgr\PluginManager\Plugins\' -------------- The '' is one of the following for the standard plug-ins : Krb5Cred : Kerberos 5 credentials provider Krb5Ident: Kerberos 5 Identity provider Krb4Cred : Kerberos 4 credentials provider Consult the vendors for the plug-in names of other third party plug-ins. Additionally, the plug-ins configuration panel in the NetIDMgr application provides a list of currently registered plug-ins. Value : Disabled Type : DWORD (0 or 1) Default : 0 If '1', the plug-in will not be loaded. Value : NoUnload Type : DWORD (0 or 1) Default : 0 If '1', the plug-in will not be unloaded from memory when the NetIDMgr application exits or if the plug-in is stopped. The plug-in binary will remain loaded until NetIDMgr terminates. Settings for the Registry key: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters' -------------- Value : CreateMissingConfig Type : DWORD (0 or 1) Default : 0 If '1', creates any missing configuration files. Value : DefaultToFileCache Type : DWORD (0 or 1) Default : 0 If '1' and no DefaultCCName is specified for an identity, use a generated FILE: cache instead of an API: cache. Value : MsLsaImport Type : DWORD (0, 1 or 2) Default : 1 Controls how credentials are imported from the MSLSA cache. This setting can be one of the following. 0 : Never 1 : Always 2 : Only if the principal matches Note that this setting only controls how the Kerberos 5 plug-in handles importing of credentials from the MSLSA cache. Whether or not credentials are imported at start-up is controlled via general NetIDMgr settings as described in section 3.1.1. Value : MsLsaList Type : DWORD (0 or 1) Default : 1 If '1', includes credentials from the MSLSA cache in the credentials listing. Value : AutoRenewTickets Type : DWORD (0 or 1) Default : 1 If '1', automatically renews expiring tickets. The thresholds at which renewals happen are controlled in general NetIDMgr settings. Value : UseFullRealmList Type : DWORD (0 or 1) Default : 0 If '1', uses the full realms list as determined by parsing the krb5.ini configuration file in the new credentials dialog box. If this is '0', only the last recently used list of realms will be used. Per-identity Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\\Krb5Cred' Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters\Realms\<realm>' Registry key 3: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters' -------------- These settings are generally maintained per-identity. However, if a particular setting is not specified for an identity or if the identity is new, then the values will be looked up in the per-realm configuration key and in the global parameters key in turn. Global defaults should be set in the global parameters key (key 3). Value : DefaultLifetime Type : DWORD Default : 36000 Default ticket lifetime, in seconds. Value : MaxLifetime Type : DWORD Default : 86400 Maximum lifetime, in seconds. This value is used to set the range of the user interface controls that allow setting the lifetime of a ticket. Value : MinLifetime Type : DWORD Default : 60 Minimum lifetime, in seconds. This value is used to set the range of the user interface controls that allow setting the lifetime of a ticket. Value : Forwardable Type : DWORD (0 or 1) Default : 1 Obtain forwardable tickets. Value : Proxiable Type : DWORD (0 or 1) Default : 0 Obtain proxiable tickets. Value : Addressless Type : DWORD (0 or 1) Default : 1 Obtain addressless tickets. Value : Renewable Type : DWORD (0 or 1) Default : 1 Obtain renewable tickets. Value : DefaultRenewLifetime Type : DWORD Default : 604800 Default renewable lifetime, in seconds. Value : MaxRenewLifetime Type : DWORD Default : 2592000 Maximum renewable lifetime, in seconds. The value is used to set the range of the user interface controls that allow setting the renewable lifetime of a ticket. Value : MinRenewLifetime Type : DWORD Default : 60 Minimum renewable lifetime, in seconds. This value is used to set the range of the user interface controls that allow setting the renewable lifetime of a ticket. Settings for the Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\\Krb4Cred' Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred\Parameters' --------------- Theses settings are also maintained per identity. However, if the setting is not specified for some identity or if the identity is new, then the global default will be used (registry key 2). Global defaults should be set in the second registry key. Value : Krb4NewCreds Type : DWORD (0 or 1) Default : 1 If '1', obtains Kerberos 4 credentials. Note that currently, only one identity can have Kerberos 4 credentials at one time. Value : Krb4Method Type : DWORD (0, 1 or 2) Default : 0 Method for obtaining Kerberos 4 credentials. The values are as follows: 0 : Automatically determine method 1 : Use password 2 : Use Kerberos 5 to 4 translation Value : DefaultLifetime Type : DWORD Default : 36000 The default ticket lifetime, in seconds. Value : MaxLifetime Type : DWORD Default : 86400 Maximum lifetime, in seconds. This value is used to set the range of the user interface controls that allow setting the lifetime. Value : MinLifetime Type : DWORD Default : 60 Minimum lifetime, in seconds. This value is used to set the range of the user interface controls that allow setting the lifetime. Leash32 DLL default lifetime ( minutes ) 1. Use LIFETIME environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,lifetime) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,lifetime) if present. 4. Otherwise, use Kerberos 5 profile if present 5. Otherwise, use resource string if present. 6. Otherwise, default to 0. default renew till time ( minutes ) 1. Use RENEW_TILL environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,renew_till) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,renew_till) if present. 4. Otherwise, use Kerberos 5 profile if present 5. Otherwise, use resource string if present. 6. Otherwise, default to 0. default renewable tickets setting ( 0 or 1 ) 1. Use RENEWABLE environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,renewable) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,renewable) if present. 4. Otherwise, use Kerberos 5 profile if present 5. Otherwise, use resource string if present. 6. Otherwise, default to 0. default forwardable tickets setting ( 0 or 1 ) 1. Use FORWARDABLE environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,forwardable) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,forwardable) if present. 4. Otherwise, use Kerberos 5 profile if present 5. Otherwise, use resource string if present. 6. Otherwise, default to 1. default addressless tickets setting ( 0 or 1 ) 1. Use Kerberos 5 profile setting (or default) if TRUE. 2. Otherwise, use NOADDRESSES environment value if defined. 3. Otherwise, use value from registry (HKCU\Software\MIT\Leash,noaddresses) if present. 4. Otherwise, use value from registry (HKLM\Software\MIT\Leash,noaddresses) if present. 5. Otherwise, use resource string if present. 6. Otherwise, default to 1. default proxiable tickets setting ( 0 or 1 ) 1. Use PROXIABLE environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,proxiable) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,proxiable) if present. 4. Otherwise, use Kerberos 5 profile if present 5. Otherwise, use resource string if present. 6. Otherwise, default to 0. default public ipv4 address ( unsigned long, network 1. Use PUBLICIP environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,publicip) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,publicip) if present. 4. Otherwise, use resource string if present. 5. Otherwise, default to 0. request kerberos iv tickets ( 0 or 1 ) 1. Use USEKRB4 environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash,usekrb4) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash,usekrb4) if present. 4. Otherwise, use resource string if present. 5. Otherwise, default to 0. hide advanced kinit options in dialog ( 0 or 1 ) 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,hide_kinit_options) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,hide_kinit_options) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 0. minimum kinit dialog lifetime ( minutes ) 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,life_min) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,life_min) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 5.maxmimum kinit dialog lifetime ( minutes ) 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,life_max) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,life_max) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 1440. minimum kinit dialog renew till time ( minutes ) 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,renew_min) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,renew_min) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 600. maximum kinit dialog renew till ( minutes ) 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,renew_max) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,renew_max) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 43200. upper case realm: 1. Use value from registry (HKCU\Software\MIT\Leash32\Settings,uppercaserealm) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash32\Settings,uppercaserealm) if present. 3. Otherwise, use resource string if present. 4. Otherwise, default to 1. timesync host: 1. Use TIMEHOST environment value if defined. 2. Otherwise, use value from registry (HKCU\Software\MIT\Leash32\Settings,timehost) if present. 3. Otherwise, use value from registry (HKLM\Software\MIT\Leash32\Settings,timehost) if present. 4. Otherwise, use resource string if present. 5. Otherwise, default to #defined value "time". Preserve ticket initialization dialog 1. Otherwise, use value from registry (HKCU\Software\MIT\Leash,preserve_kinit_options) if present. 2. Otherwise, use value from registry (HKLM\Software\MIT\Leash,preserve_kinit_options) if present. 4. Otherwise, use resource string if present. 5. Otherwise, default to 0. Kerberos 4: A. location of krbrealm & krbconf: 1. First, check for environment overrides: a. Use %KRB4_KRB.REALMS% as full filename for realms file if defined. a. Use %KRB4_KRB.CONF% as full filename for config file if defined. b. Otherwise, look for krbrealm.con and krb.con in dir %KRB4_CONFIG%. 2. If nothing defined so far, look in registry: a. HKCU\Software\MIT\Kerberos4,krb.realms for realms full pathname. a. HKCU\Software\MIT\Kerberos4,krb.conf for config full pathname. b. HKCU\Software\MIT\Kerberos4,config as dir for both files. c. HKLM\Software\MIT\Kerberos4,krb.realms for realms full pathname . c. HKLM\Software\MIT\Kerberos4,krb.conf for config full pathname. d. HKLM\Software\MIT\Kerberos4,configdir as dir for both files. 3. If any of the above are set, use it even if the files are not there. If none of them are set, use the old krb4 search. B. ticket file 1. %KRBTKFILE% if defined 2. Registry setting, if setting is present (HKCU\MIT\Kerberos4,ticketfile) 3. Registry setting, if setting is present (HKLM\MIT\Kerberos4,ticketfile) 4. Otherwise, "API:krb4cc". ( If a file-based cache is ever supported for Kerberos 4, code should do this: 4. %TEMP%\ticket.krb, if var defined and dir exists 5. %TMP%\ticket.krb, if var defined and dir exists 6. c:\temp\ticket.krb if c:\temp exists 7. c:\tmp\ticket.krb if c:\tmp exists 8. GetWindowsDirectory()\ticket.krb as a last-ditch default? It's either that or c:\ticket.krb! )Kerberos 5: A. location of krb5.ini: 1. %KRB5_CONFIG% if defined 2. (HKCU\Software\MIT\kerberos5,config) if defined 3. (HKCU\Software\MIT\kerberos5,config) if defined 4. Otherwise, use GetWindowsDirectory()\krb5.ini B. Default credentials cache name 1. %KRB5CCNAME% if defined 2. (HKCU\Software\MIT\kerberos5,ccname) if defined 3. (HKLM\Software\MIT\kerberos5,ccname) if defined 4. If RegKRB5CCNAME is set under [Files] in kerberos.ini, look at that path in the registry (code already in krb5 for compat with Gradient DCE installations, I believe). 5. Otherwise, if using CCAPI, default to "API:krb5cc".   if no CCAPI, use "FILE:" with: a. %TEMP%\krb5cc, if var defined and dir exists b. %TMP%\krb5cc, if var defined and dir exists c. c:\temp\krb5cc if c:\temp exists d. c:\tmp\krb5cc if c:\tmp exists e. GetWindowsDirectory()\krb5cc as a last-ditch default? it's either that or c:\krb5cc! C. MSLSA: credential cache client principal 1. (HKCU\Software\MIT\Kerberos5,PreserveInitialTicketIdentity) if defined 2. (HKLM\Software\MIT\Kerberos5,PreserveInitialTicketIdentity) if defined 3. Default is 1. _________________________________________________________________ Integration with Microsoft Kerberos LSA As of the Kerberos v5 1.3.2 release, a new cache been added for use in accessing the Session credentials cache. The MSLSA: cache is the user logon is performed using Kerberos either to an Active Directory Domain or a non-Microsoft KDC. Windows support contains to be read-write on Windows Vista. restrictions on the use of Kerberos tickets when Control (UAC) when the active account is a member of the local machine Administrators group. In that situation, MSLSA: support is disabled. Users are strongly encouraged to not login to Windows machine Administrators not compatible with the future Microsoft as part of Windows Vista SP1. after the Windows Vista SP1 release. A user is able to logon to Windows using the machine is part of a Windows 2000 or Windows 2003 Active Directory domain or if the machine has been configured to authenticate to a instructions for configuring a Windows 2000 XP authenticate to a non-Microsoft KDC are documented in TechNet somewhere. In brief: 3. Install the Windows 2000 or XP support tools in the tools: KSETUP.EXE and KTPASS.EXE. 4. Install the Windows 2000 or XP Resource Kit to KERBTRAY.EXE and KLIST.EXE 5. Add Realms and associated KDCs with: KSETUP /AddKdc []. If you leave off the DNS SRV records will be used. 6. Specify the password change service host for KSETUP /AddKpasswd 7. Assign the realm of the local machine with: where realm must be all upper case. 8. Assign the local machine's password with: /SetComputerPassword 9. Specify the capabilities of the Realm KDC /SetRealmFlags [ None, SendAddress, TcpSupported, Delegate, or NcSupported, 10. Map principal names to local accounts with: On the MIT KDC, you must then "Password" assigned to the machine. So principals required appear to be for a machine in the realm "EXAMPLE.COM" with a domain name of * host/mymachine@EXAMPLE.COM * host/mymachine.example.com@EXAMPLE.COM * cifs/mymachine@EXAMPLE.COM * cifs/mymachine.example.com@EXAMPLE.COM There may very well be other services for which created depending on what services are being executed on machine. It is very important to note that while you can into a Windows workstation by authenticating to the KDC without creating a host key; the logon session you receive will not be a Kerberos Logon no LSA cache to The result of a real KSETUP configuration looks [C:\4\4NT]ksetup default realm = KRB5.COLUMBIA.EDU (external) ATHENA.MIT.EDU: kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu kdc = kerberos-3.mit.edu Realm Flags = 0x0 none CC.COLUMBIA.EDU: kdc = kerberos.cc.columbia.edu Realm Flags = 0x0 none GRAND.CENTRAL.ORG: kdc = penn.central.org kdc = grand-opening.mit.edu Realm Flags = 0x0 none KRB5.COLUMBIA.EDU: kdc = yclept.kermit.columbia.edu Realm Flags = 0x0 none OPENAFS.ORG: kdc = virtue.openafs.org Realm Flags = 0x0 none Mapping jaltman@KRB5.COLUMBIA.EDU to jaltman. Mapping jaltman@CC.COLUMBIA.EDU to jaltman. Mapping jaltman@ATHENA.MIT.EDU to jaltman. Mapping all users (*) to a local account by the same name (*) The MSLSA: credential cache relies on the ability entire Kerberos ticket including the session key from the Kerberos LSA. In an attempt to increase security Microsoft has begun to session keys for Ticket of making them useless to the MIT krb5 request additional service tickets. This new feature has been seen in Windows 2003 Server SP4, and Windows XP SP2. We assume that it will implemented in all future Microsoft operating systems supporting the provided a HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters AllowTGTSessionKey = 0x01 (DWORD) On Windows XP SP2 the key is HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos AllowTGTSessionKey = 0x01 (DWORD) It has been noted that the Microsoft Kerberos LSA enough information within its KERB_EXTERNAL_TICKET properly construct the Client Principal simply by examining a single ClientName KERB_EXTERNAL_NAME structure the ticket. This name DomainName UNICODE_STRING that contains corresponds to the ServiceName member. This is the domain that issued the TargetDomainName UNICODE_STRING that contains the ticket is valid. For an interdomain ticket, this is the destination domain. AltTargetDomainName UNICODE_STRING that contains a synonym for the domain. Every domain has two names: a DNS name and a If the name returned in the ticket is different from the name used to may do Unfortunately, there is no field here which the client. In order for the krb5_ccache to properly report client principal name, the client principal name is constructed by associated with the use of the TGT info and instead of the current ticket define one of the depending on whether the change should be system global or for the current user. HKLM\Software\MIT\Kerberos5\ PreserveInitialTicketIdentity = 0x0 (DWORD) HKCU\Software\MIT\Kerberos5\ PreserveInitialTicketIdentity = 0x0 (DWORD) As of KFW 2.6.4 it may be possible sometime in correct client realm to be obtained from the LSA credential contents. However, it will require a fix from Microsoft which at the Microsoft Windows XP64 and 2003 64-bit edition implement the LSA Kerberos functionality within the WOW64 compatibility environment. As a result, calling the LSA functions the MSLSA ccache support is disabled in these Microsoft has fixed this problem as of Windows Vista Beta 2. _________________________________________________________________ GSSAPI Sample Client (gss.exe): The GSS API Sample Client provided in this compatible with the gss-server systems. This client is not compatible SDK/Samples/Security/SSPI/GSS/ samples which shipping as of January 2004. Revised versions of these are available upon request to krbdev@mit.edu. Microsoft is committed to distribute revised samples which are compatible with the MIT The following configuration options may be set connections with a compatible server: * Hostname the GSS Sample Server is running. The previous ten hostnames used * Port Server is listening. A value of 0 means use the default or port 4444. * GSS Service Name This is the GSS formatted name of the service. This is not a Kerberos 5 principal. The format is service-name@fqdn which will be converted to the Kerberos 5 principal service-name/fqdn@REALM where REALM is derived from the fully qualified mapping table in the KRB5.INI Service Names will be preserved between * Test Message A string of up to 256 characters in length which will be used as a test message to send to the GSS Sample Server. The between invocations. * CCache Name The name of the Kerberos 5 Credentials Cache which GSS session. credential cache as specified by the variable or the registry. The drop down list is with the names of the existing Kerberos 5 credential caches. To simply enter the * Mechanism (OID) An Object Identifier is used to specify which GSS Mechanism should be used when negotiating the connection. In all specified or even known by the field is therefore only to be used by implementations. * Verbose Output Generate lots of messages into the output window. Unchecking this option will significantly reduce the amount * Delegation Checking this box will cause the GSS API to delegate (or in Kerberos speak, forward) its user credentials (a TGT) to the GSS Sample for this to work. (default is off) * Mutual authentication will be requested. (default is on) * Replay will be requested. (default is on) * Sequence sequencing will be requested. (default is off) * Version 1 of the MIT Kerberos 5 GSS Sample Server. Certainly anything post the Krb5 1.2 release does not use Version 1 * No Auth send the test message. Without authentication GSS Encrypt, and GSS Mic operations are not available. * No Wrap messages. * No Encrypt Do not preform GSS Encrypt operations on the test messages. * No Mic Do not perform GSS Mic operations on the test messages. * Call Count How many times should a connection to the GSS Server be established? * Message Count For each connection, how many copies of the test message should be sent? The Output window is a read-only text edit field which will allow text to be Press the Test button to begin a test and the application. _________________________________________________________________ Release History In general, the latest release of KfW is recommended. However, it may be useful (and looking at its release history. 3.2.1 * Improvements to the Network Identity * Add HideWatermark capability. * Remove default identity background color. * Correctly update display when * 2007 DST aware C Run-time Library included. 3.2.0 * Improvements to the Network Identity * A simplified basic mode has been added to credentials dialog". The basic mode replaces browser with a button that can be used to access the configuration functions. This advanced mode credential browser and a tabbed view of the configuration dialogs for * A new command-line option to netidmgr.exe is shutdown a running instance of Network Identity Manager. Specify "-x" or "-exit" to force the existing instance to terminate. * The use of ellipsis on menu items now Guide. Ellipsis is only used when additional required from the user before carrying out the designated action. If displaying a dialog is the action, no ellipsis is used. * Improved handling of window focus when dialogs. * Reduce the number of alerts presented to the duplicates into a single alert. * Do not generate alerts if there is nothing to correct the situation. Alerts that are displayed actions the user can take if desired. * Renew and Destroy menus provide "All" and names" as choices. * The Renew and Destroy toolbar buttons permitting the action to be applied to either "All" or one specific identity. * The "default" action of left clicking the now configurable. The default NIM window". The alternate is to open the new credentials dialog. This can be specified by the user on the General Options * The alerter window can now display multiple simultaneously. * Ensure that the NIM window is displayed on If not, move it to the primary desktop and center * New Basic mode display that shows only the and its expiration time. Use F7 or to the previous display that is configurable by the user to show details about each credential. * New Color Scheme derived from current Scheme. * Improved display updating algorithms reduce * The proper icon sizes are now used in the the status bar. * Plug-in Help can now be added to the Help * A Taskbar button is visible when the Dialog is created. * Network Identity Manager Kerberos v5 Support * Do not show cached prompts to user if they * Correct the possibility that a krb5_ccache twice. * Import settings from Kerberos Profile if defaults specified in the registry. Support settings. * An identity that matches the MSLSA will not credentials from the MSLSA if the user obtained the credentials * When importing an identity from the MSLSA seen before, create an entry in the identity database. * Do not attempt to renew non-renewable * Permit an identity to be configured as if it doesn't have any credentials. * Kerberos v5 Library Improvements * Based on MIT release 1.6.1 * On Vista MSLSA: krb5_ccache can be used including TGTs for alternative principals to the LSA cache * On Vista a more efficient interface for of the LSA credential cache is available. * Vista support is only built if the Vista NTSecAPI.H is used. * On Vista, if a process is UAC limited, the that no tickets are present in the cache rather than return tickets with invalid session keys. * get_os_ccname() uses GetEnvironmentVariable() instead of getenv() allows returned by problem where a gssapi application would trigger an Obtain New Credentials prompt from NIM only to have it obtain the wrong credential * Winsock Helper Library Improvements * DNS queries that terminate with a dot the hostnames listed within the DNS response successful return. This resulted in "kinit -4" failing to find the KDCs. * Integrated Logon Improvements * Remove the reliance on the Windows Logon replace it with a LogonScript that executes kfwlogon.dll via a call to logon functionality Windows 2000 to Windows Vista. * Disable the use of integrated logon if called as a result of a non-interactive logon. non-interactive logon does not process the specified LogonScript. As a result, the intermediate credential cache file would not * Obtained credentials are stored into an API whose name is API: * Add a debugging mode which when Application Event Log. [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider] DWORD "Debug" * Leash32 Library Changes * Modify the leash functions to use parse ticket_lifetime and renew_lifetime from the profile. Previously the leash integer representation of minutes without This change is for consistency with KFM and the krb5 library. * Modify the private functions acquire_tkt_for_princ() and acquire_tkt_no_princ() that are called from gssapi32.dll so that they will work on principal is only imported if it matches the and no credentials for that identity are present. * Remove all AFS functionality. 3.1.0 * Improvements to the Network Identity * A serious memory leak has been fixed * Principal names containing numbers are no invalid * Locales other than en_US are now supported * Arbitrary sort ordering of credentials * Support for FILE: ccaches * Credential properties may be selected by the * User selected font support * Tool Tip support added to the Toolbar * Identities can be added without obtaining * Kerberos 5 Realm editor has been * A serious thread safety error in the Kerberos 5 result in premature application termination. * The MSLSA: ccache is disabled in WOW64 environments prior to Microsoft Windows Vista Beta 2 * .EXE installer built using NSIS 2.18 * .MSI installer built using WIX 3.0.0 * Kerberos 5 library updated to release change in this release is that the Kerberos 5 safe for use in multi-threaded applications. See [48]Kerberos 5 README file for details of additional changes in the * Kerberos 4 support is beginning to be [49]phased out. The default for new installations is to not tickets in the Network Identity Manager or kinit.exe. * The Leash credential manager has been modular framework for identity manager called the Identity Manager. * It ships with a Kerberos 5 identity manager multiple Kerberos 5 Identities and allows the user to select which one should be used as the default. * It ships with Kerberos 5 and Kerberos 4 users to obtain Kerberos 5 and Kerberos 4 credentials * An AFS plug-in is available separately Inc. which will [51]OpenAFS for Windows * Organizations that wish to develop their encouraged to contact [52]kfw-bugs@mit.edu * A new KFW Network Provider is installed to login time for the default realm and store them into the user credential cache. * Microsoft Windows 95, 98, ME, and NT 4.0 are no * The aklog utility is no longer of [53]OpenAFS for Windows 1.4.0. 2.6.5 * Correct incompatibility between Kerberos 5 Windows 2000 (introduced in 2.6.4) * Kerberos 5 library updated to release security holes which could allow a rouge KDC to execute arbitrary code on the for details of the changes in the distribution. * Add a new MSI based installation option for need to distribute KFW via group policy. The installer is part of the KFW SDK. The MSI may be customized via the use of MSI transforms. See the file install\wix\msi-deployment-guide.txt for details. 2.6.4 * Solve problem in MSLSA: ccache which would result in premature process Kerberos credentials were not manager. * Apply automatic import restrictions from the cache to the GSSAPI acquire credentials code when * Kerberos 5 library updated to release README file for details of the changes in the version 1.3.4 distribution. * Add support for the location of the AllowTGTSessionKey registry value in Windows XP SP2 to the * Add support for Terminal Server installer 2.6.3 * Prevent Leash from flooding the KDC with the Windows Logon Session is authenticated using 2.6.2 * The behavior of the Leash automatic from the MSLSA credentials cache is now configurable. Options include never, always, and only if the MSLSA principal belongs to the * Keberos Ticket Initialization options modified Initialization dialog may now optionally be preserved. * A memory access error introduced in 2.6.1 This problem was traced to errors in MFC CSingleLock class. 2.6.1 * Kerberos 5 library updated to release README file for details of the changes in the version 1.3.3 distribution. * Fixes a compatibility issue with Windows 98 after the 2.6 release. * Leash and aklog obtain AFS tokens via Kerberos 5 without requiring the use of a krb524 daemon. * The Kerberos 5 command line utilities are now included in the distribution. * The Leash Change Password function once passwords are expired. 2.6.0 * Leash has been turned into a System Tray * Leash implements IP address change detection conjunction with KDC Probing to determine when dialogs for obtaining tickets should be displayed to the end user * Leash API functions no longer display failure * Kerberos 5 Credential Cache Name changes are * aklog support for Kerberos 5 credentials has been now the default. Use the -4 switch if you wish to use aklog with Kerberos 4 credentials. * krb5_cc api support for accessing the Microsoft Kerberos cache in read-only mode. Use a ccache name of "MSLSA:". * KClient and GSSAPI libraries will now automatically Leash Obtain Ticket Getting Tickets dialog box when a request for service tickets is made and no TGTs exist. This can be disabled by KERBEROSLOGIN_NEVER_PROMPT. * The Leash online help functionality has been HtmlHelp engine is now used instead of WinHelp. been updated. * A new installer based on the open source NullSoft Installation System is provided. allow for customization. * A new GSS Sample Application client has been distribution which is compatible with the Unix gss-server sample service. * Improvements to the Winsock Helper Library avoid several problems related to initializing the list of DNS servers. Whenever possible the operating system versions of versions. 2.5.1 * The order of Kerberos 5 and Kerberos 4 credential tree are reversed * Status Bar string formatting corrected for * Automatic Ticket Renewals performed on AFS * Error dialogs are suppressed for when using check password, kinit, and * AFS Tokens are obtained via a krb524 of a in preference to obtaining a Kerberos 4 AFS Ticket 2.5.0 (includes all changes since 2.1) * Kerberos v5 support is from MIT Kerberos v5 addition to bug fixes, this release of Kerberos 5 includes several important changes: * The public API has been more clearly file now marks non-public functions with KRB5_PRIVATE and deprecated functions with KRB5_DEPRECATED. You should not define these * The krb5_32.dll exports have been cleaned up functions are no longer exported) to try to reflect that API. However, the Kerberos 5 DLL still exports some private functions that are implementation. Make sure you do not use krb5_32.def). * The Kerberos 5 ccache and keytab accessors are now functions instead of macros. * The Kerberos 524 ticket conversion functions into the Kerberos 5 library. A krb524.dll is backward compatibility with the krb524.dll distributed by http://www.rose-hulman.edu/TSC/software/wake/documentation/compili ng/krb5 * The library default is now to retrieve addressless tickets. This can be a problem for previous behavior and enable Leash "noaddresses = false" to the "[libdefaults]" section of the KRB5.INI file. * GSS Kerberos OID constants are exported * Leash Credential Manager improvements: * Leash behaves nicely with missing or files * Autogeneration of missing configuration files based upon records or Microsoft Windows Domain configuration. Configurable by * Importation of Microsoft Windows Domain Credentials Cache supported via Actions->Import * Ability to manage DNS KDC Lookup setting Properties Dialog * Renew Kerberos credentials without Tickets (^R) * KRB524 support * used to retrieve Kerberos 4 Kerberos 4 kinit * used to retrieve Kerberos 4 credentials * used to retrieve Kerberos 4 credential importation * New Ticket Initialization and Change * Addressless Kerberos 5 tickets configuration (when contains [libdefaults] noaddresses = false) * Renewable Kerberos 5 tickets configuration * Automatic Ticket Renewal re-news/re-imports and obtains new Kerberos 4 tickets via KRB524 when either Kerberos 4 or Kerberos 5 credentials are about to expire. Options->Automatic * On startup, if the credential cache is empty logon session is Kerberos authenticated, the Windows Kerberos credentials are imported * New command line options: * -ms2mit, -import, Logon Session (and exit) * -renew, -r renews credentials (and exit) * -destroy, -d destroys credentials (and exit) * -autoinit, -a performs ticket initialization only if the credential cache is empty * Expired Tickets can now be destroyed * Prompter dialogs added to support hardware mechanisms * Kerberos 4 ticket retrieval can now be the KRBV4W32.DLL via the Leash Properties dialog * Kerberos 4 and Kerberos 5 configuration file be locked * Leash now obeys instructions for Minimize, window creation * New Icons and Toolbar images * Ticket Encryption Types and Addresses are 5 tickets * Andrew File System token retrieval (if AFSŪ Version 3.6 are installed.) * Leashw32 API expanded to provide access to the Initialization and Change Passwords dialogs; and get/set/reset * New Leash End User documentation provided in KfW 2.2 * Never officially released beyond Beta * Kerberos v5 support from MIT Kerberos v5 KfW 2.1.2 * Kerberos v5 support is from MIT Kerberos v5 release of Kerberos v5 includes the ms2mit program to transfer a user's Microsoft Windows domain Kerberos credentials into the MIT * ms2mit was removed from the Extra Binaries package now part of the included MIT Kerberos v5 component. * The Microsoft Redistributable Components package includes the Winsock 2 Update for Windows 95. A pointer to download * The release notes have been significantly KfW 2.1.1 * Kerberos v5 support is from MIT Kerberos v5 * KfW now works on Windows XP. (The RPC endpoint credentials cache had to be shortened for XP.) KfW 2.1 * "Kerberos for Win32" is now "Kerberos for Windows", or "KfW" for short. * Kerberos v4 and v5 now build with [54]DNS support by default. * Kerberos v5 support is from MIT Kerberos v5 * Various buffer overflow vulnerabilities in fixed. * The in-memory Kerberos Credentials Cache new. Fleavius is now obsolete. In-memory credentials cache now implemented via a LRPC (local remote procedure call) mechanism. The automatically started). On such process per Windows Each Windows NT/2000 credentials cache. Even Windows NT/2000 not allow a process to access the cache of the user is impersonating. This is by design. This implementation far more robust than the fleavius implementation. It can support a very large the LRPC implementation is than the fleavius implementation. For more information, [56]krbcc32 Implementation documentation at athena/auth/krbcc/doc/architecture.txt and athena/auth/krbcc/doc/implementation.txt< documentation links work only if this is the Pre-KfW Era Before there was KfW, MIT had other and even for DOS (gasp!). Read on if you dare... Kerberos for Microsoft Operating Systems Release This was a version of KfW before it was called KfW. It had an in-memory credentials cache (called fleavius) that had problems, including large memory footprint, a single per-machine shared A Long, Long Time Ago... Once upon a time, 16-bit DOS support at one point. As far as MIT Kerberos days are best forgotten. _________________________________________________________________ Upcoming in a Future KFW * Improved documentation. * Removal of Kerberos 4 libraries * Support for 64-bit Windows _________________________________________________________________ Important notice regarding Kerberos 4 In the past few years, inadequacy of the security of version 4 of the These developments have led the MIT Kerberos Team to process of ending support for version 4 of the Kerberos protocol. The plan involves the eventual removal of Kerberos 4 support from the The Data Encryption Standard useful life. DES is the only encryption Kerberos 4, and the increasingly obvious inadequacy of motivates the retirement of the Kerberos 4 protocol. The National previously has officially announced[1] the Information Processing Standards (FIPS) for NIST's action reflects the long-held opinion of the community that DES has too small a key space to be secure. Breaking DES encryption by an exhaustive search of its key space is within the major governments. for any long-term keys, is central to Kerberos. Serious protocol flaws[2] have been flaws permit attacks which require far less exhaustive search of the DES key space. These flaws make Kerberos 4 cross-realm authentication an unacceptable security risk and raise serious Kerberos 4 protocol. The known insecurity of DES, discovered protocol flaws, make it extremely the security of version 4 of the Kerberos factors motivate the MIT Kerberos Team to remove support for Kerberos version 4 from the MIT implementation of Kerberos. The process of ending of MIT Kerberos 5. In release 1.3, the configuration of the KDC disables support for version 4 of the Kerberos protocol. Release 1.4 of MIT Kerberos continues to include default run-time remove Kerberos 4 support from some Kerberos, possibly as early as the 1.5 release of MIT The MIT Kerberos Team has except for the eventual removal of all We will continue to provide critical security fixes 4, but routine bug fixes and feature enhancements are at an We recommend that any sites which have not already done so begin a advantages over encryption, extensibility, improved interoperability, and ongoing development and enhancement. If you have questions or 5, we recommend discussing them on the list. References [1] National Institute of Approval of the Withdrawal of Federal Standard (FIPS) 43-3, Data Encryption Standard 74,Guidelines for Implementing and Using the NBS Data Standard; and FIPS 81, DES Modes of Operation. Federal Register 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45 [2] Tom ofUnauthenticated Encryption: Kerberos Version 4. In Proceedings of the Network and Distributed Systems Security Symposium. The Internet Society, February http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf _________________________________________________________________ Developer Notes Network Identity Framework See devdocs.chm in the SDK Some older notes from prior releases... 3. Modification of the Kerberos 4 credential We encountered a addressed even though it broke some backwards found that if someone used a Kerberized application multiple PPP sessions a Kerberos error would be generated and few applications would catch this error and try to get new tickets instead. E.g. Suppose a user starts a PPP connection and then starts Eudora, fetching mail. The user then decides to close down the PPP connection they initiate a new PPP Note that the user never exited Eudora. user for their name and password Eudora will generate message. The only way for the user to recover the functionality would be to use Leash, Kview, or kdestroy to destroy their old tickets so that Eudora This happened because user each time that user reconnects Kerberos ticket includes the machines local IP address in encrypted form this is used by most severs to insure that the ticket has not Since the local IP it should be easy to compare this address at the same time that an application is the ticket has expired. Unfortunately the IP address in the ticket is encrypted in the server's session key and so is inaccessible to Instead we borrowed an to store the local IP address, is cached in the local cache. Within the KClient function IsCredExpired() or the ticket has not expired and the IP address stored in the ticket. This implies that krbv4w32.dll, of different errors when using Kerberized applications. The generated will be BAD_TKT_FILE_FORMAT or NO_TKT_FILE. Users of applications implementations may also be affected. E.g. some software from FTP, Inc. 3. Add a new function to the KClient DLL. This function is SendTicketsForService (). It function. Before everyone complains explanation. Qualcomm has been would supports both Kerberos v4 and v5. From what I have heard is a commercial implementation. It ignores GSS or other abstraction layers above the Kerberos layer that application developers should write as such it will not share the ticket cache with implementations that may reside on the user's system. Platinum and Qualcomm interface. Eudora uses this new function if it In this case it does not use the thunking application KERB16. We have duplicated that Eudora will not GPF. Please DO THIS FUNCTION. 3. We stole an idea from Cornell. If the clock is we are trying to obtain a ticket we synchronize the clock and try again. We inform the user if this occurred. 4. Fixed up some problems relating to DLL WSAStartup () will This was needed to handle some initialization under Win32 when multiple applications were using the DLL at the same time. Also fixed up some initialization of the com_err functions due to similar issues. 5. Added two new functions to leashw32.dll. The Leash_set_help_file(char*szHelpFile) which allows an application developer to the dialog box presented when using the Leash_kinit() If the argument is NULL the function will check the environment variable of kerberos.hlp will be used. The other function is Leash_get_help_file() which allows an application developer to defined in lshfunc.c. 6. Fix the send_auth so that we do not fail on a null realm. Also detects when an invalid socket descriptor has been passed. (Special thanks References 1. file://localhost/tmp/3D"#intro" 2. file://localhost/tmp/3D"#_What's_New_in" 3. file://localhost/tmp/3D"#requirements" 4. file://localhost/tmp/3D"#config" 5. file://localhost/tmp/3D"#config_bin" 6. file://localhost/tmp/3D"#config_locate" 7. file://localhost/tmp/3D"#config_locate_krb5" 8. file://localhost/tmp/3D"#config_locate_krb4" 9. file://localhost/tmp/3D"#config_modify" 10. file://localhost/tmp/3D"#config_modify_krb5" 11. file://localhost/tmp/3D"#config_modify_krb4" 12. file://localhost/tmp/3D"#config_dns" 13. file://localhost/tmp/3D"#config_services" 14. file://localhost/tmp/3D"#config_cache" 15. file://localhost/tmp/3D"#config_time" 16. file://localhost/tmp/3D"#command_line" 17. file://localhost/tmp/3D"#leash32" 18. file://localhost/tmp/3D"#kinit" 19. file://localhost/tmp/3D"#klist" 20. file://localhost/tmp/3D"#kdestroy" 21. file://localhost/tmp/3D"#build" 22. file://localhost/tmp/3D"#installer_notes" 23. file://localhost/tmp/3D"#leashw32_api" 24. file://localhost/tmp/3D"#devnotes_registry" 25. file://localhost/tmp/3D"#mslsa" 26. file://localhost/tmp/3D"#gss-client" 27. file://localhost/tmp/3D"#issues" 28. file://localhost/tmp/3D"#history" 29. file://localhost/tmp/3D"#todo" 30. file://localhost/tmp/3D"#devnotes" 31. file://localhost/tmp/3D"#devnotes_old" 32. 3D"http://web.mit.edu/kerberos/" 33. 3D"http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.3.html" 34. 3D"http://support.microsoft.com/servicedesks/fileversion/dllinfo.asp 35. 3D"http://web.mit.edu/network/kerberos-form.html" 36. 3D"http://www.microsoft.com/downloads/release.asp?ReleaseID=30337" 37. file://localhost/tmp/3D"#c1" 38. file://localhost/tmp/athena/auth/krb5/doc/admin.html#SEC17" 39. 3D"http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.2/doc/krb5-admi 40. file://localhost/tmp/athena/auth/krb5/doc/admin_toc.html" 41. 3D"http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.2/doc/krb5-admi 42. 3D"http://www.microsoft.com/msdownload/platformsdk/sdkupdate/" 43. 3D"http://www.activestate.com/" 44. 3D"http://www.doxygen.org/" 45. 3D"http://cygwin.com/" 46. 3D"http://nsis.sourceforge.net/site/index.php" 47. file://localhost/tmp/athena/auth/krbcc/doc/architecture.txt" 48. 3D"http://web.mit.edu/kerberos/krb5-1.4/README-1.4.3.txt" 49. file://localhost/tmp/3D"#kerberos_4_bad" 50. 3D"https://www.secure-endpoints.com/" 51. 3D"http://www.openafs.org/" 52. 3D"mailto:kfw-bugs@mit.edu" 53. 3D"http://www.openafs.org/" 54. file://localhost/tmp/3D"#config_dns" 55. file://localhost/tmp/athena/auth/krbcc/doc/architecture.txt" 56. file://localhost/tmp/athena/auth/krbcc/doc/implementation.txt"