KfW Integrated Logon

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Oct 29 17:02:53 EDT 2004

Maurice Massar wrote:

> hi,
> On 2004-10-29, Jeffrey Altman <jaltman2 at nyc.rr.com> wrote:
>>Logon Session.  At the present time there is no secure method by which
>>a Network Provider can obtain Kerberos tickets for you via KFW and
>>pass them into the Logon Session for use by your applications.
> does that mean what openafs is optionally doing, can not be done secure?
> Or do I have to wait until samba4 is ready with kerberos support?
> cu
> maurice


I am not sure you are clear of the relationship between Kerberos, 
OpenAFS and Samba.  Kerberos is an authentication system which is
used by applications to prove the identities of two parties via a
trust third party (the Kerberos Key Distribution Center [KDC]).

The relationship of OpenAFS to Kerberos is that AFS uses Kerberos
as the authentication mechanism to prove the identities of the
file system client and the file server.

Samba is an open source implementation of the CIFS (aka SMB)
file management and printer protocols implemented within Microsoft
Windows.  As of Windows 2000, the CIFS protocol has an option to
use Kerberos as an authentication mechanism between its clients
and servers.

When OpenAFS is used on Windows and the user account stores the
Windows Profile in the AFS file system there is a requirement that
the AFS Client Service (afs file system client) possess the Kerberos
based AFS authentication token prior to the moment that Windows
attempts to read the profile out of the file system.  This is
performed by installing a Network Provider module into the Windows
Login process.  The Network Provider is given access to the user's
name and password so that the necessary credentials can be obtained
prior to the creation of the Logon Session for the user.  Creating
the Logon Session requires access to the Windows Profile for the

What OpenAFS does in the Network Provider (afslogon.dll) is:

(1) using the username and password provided at login, it performs
     a Kerberos kinit to obtain a TGT

(2) with the TGT, it obtains an AFS service ticket

(3) with the AFS service ticket, it creates an AFS token

(4) the AFS token is then inserted into the AFS Client Service and
     bound to the local machine representation of the user

At no point does this process require access to the User's Logon 
Session.  In fact, at the point which this operation is performed
the User's Logon Session does not yet exist.

Now KFW is different then OpenAFS.  KFW provides the user via the
Leash Ticket Manager and its in memory credential cache the ability
to obtain Kerberos tickets and make them available to other
applications which are written to the MIT Kerberos API.

The KFW Credentials Cache is kept secure by storing it in memory
which is allocated in the context of the User's Logon Session.  Since 
the Logon Session does not exist it is not possible to do this.  Hence, 
there is no place at login time for KFW to place a TGT which can be
securely accessed only from within the User's Logon Session.

Windows 2000 and later support Kerberos natively so that it can
utilize Kerberos to authenticate access to CIFS services (remote
shares and printers) as well as other services.  Windows maintains a 
Kerberos credentials cache as part of its LSA.  Kerberos tickets are
placed into the LSA cache at login time.  At the present time, Windows 
is able to store tickets into this cache but third party applications 
cannot.  Third party applications such as KFW can read from the LSA 
cache.  Therefore, if you want to have Kerberos tickets available from 
within the logon session you can configure your Windows machine to
authenticate to the non-MS KDC and KFW will obtain the tickets via the LSA.

Jeffrey Altman

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list