Kerberos Deployment
Jeffrey Altman
jaltman at gmail.com
Wed May 17 18:26:40 EDT 2006
Paul:
I'm sorry you having issues with KFW 3.0. A number of issues were
discovered after its release that are negatively affecting sites. The
NetIDMgr was a major architectural change and several rough edges were
found that required reworking. Kerberos 4 ticket acquisition and
renewal is one of those areas.
Krb4 can be disabled for all identities by default by setting :
HKLM\Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred\Parameters
"Krb4NewCreds"=dword:00000000
However, KfW 3.0 doesn't check this value when renewing credentials.
This will be fixed in 3.1. (The changes are already in the krb5 source
tree.)
The krb4 plug-in can be disabled entirely with this registry setting:
HKLM\Software\MIT\NetIDMgr\PluginManager\Modules\MITKrb4
"Flags"=dword:00000400
Both of these keys can be set in the MSI when deploying 3.0 via a MSI
transform.
Jeffrey Altman
(Thanks to Asanka Herath for researching this information.)
More information about the Kerberos
mailing list