Best Practice: Location of Kerberos Configuration Files for use with Vista and Server 2008
Jeffrey Altman
jaltman at secure-endpoints.com
Sat Jan 26 17:10:54 EST 2008
Due to the increased security provided by Vista and Server 2008 and the
directory shadowing provided by the Wow64 environment, it is no longer
acceptable to store application configuration files in either \WINDOWS
or \Program Files directory trees.
The proper location to store such files is under the \ProgramData
directory on the boot disk. For MIT Kerberos the proper path to the
krb5.ini file should therefore be c:\ProgramData\MIT\Kerberos\krb5.ini.
This can be configured by defining the environment variable KRB5_CONFIG
to point at that path. The Kerberos v4 configuration files use the
KRB4_CONFIG environment variable to point not at the file but at the
directory containing the file.
For backward compatibility with previous releases of Windows, the
\ProgramData directory is a link to "\Documents and Settings\All
Users\Application Data\". Hence, it is possible to move the default
location of the configuration files to "%SystemDrive%\Documents and
Settings\All Users\Application Data\MIT\Kerberos\" on all supported
platforms.
Until a future release of KFW incorporates this change, Secure Endpoints
recommends that users and organizations move their configuration files
and set the system environment as follows (assuming %SystemDrive% is "C:"):
KRB5_CONFIG=C:\Documents and Settings\All Users\Application
Data\MIT\Kerberos\krb5.conf
KRB4_CONFIG==C:\Documents and Settings\All Users\Application
Data\MIT\Kerberos
Note that "krb5.ini" has been renamed to "krb5.conf" as on UNIX for two
reasons. First, .ini files are treated special by Windows and the
format of the Kerberos 5 profile file is not a Windows INI file.
Secondly, using the same name as on UNIX permits easier maintenance and
documentation when managing deployments for heterogeneous environments.
Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080126/2c4c6409/attachment.bin
More information about the Kerberos
mailing list