KfW 3.1 accessing credentials cache from Windows Service

petesea@bigfoot.com petesea at bigfoot.com
Sat Feb 17 02:13:10 EST 2007


Are there any special circumstances to be aware of for a Windows Service 
to access a credentials cache which was created outside the context of the 
service?

I have a user running an application as a Windows Service.  The service 
eventually calls a cvs command which accesses the repository via ssh using 
gssapi-with-mic authentication.

The credentials cache needs to be created/renewed automatically, therefore 
we will be calling kinit with a keytab/principal... probably with a 
specific cache defined via KRB5CCNAME.

There is no hook into the application service to call kinit so it must be 
called external to the service.

   - Can the service be started using the "Local System account" or must it 
be started as a specific user?

   - If KRB5CCNAME is defined as a "System Variable", will the service and 
some other scheduled process be able to access the SAME credentials cache?

   - Does it matter what TYPE of credentials cache (API, FILE)?

   - If KRB5CCNAME is NOT defined... in other words both the service and 
automated kinit will use the default value, will that make any difference?



More information about the Kerberos mailing list