Best Practice: Location of Kerberos Configuration Files for use with Vista and Server 2008

Jeffrey Altman jaltman at secure-endpoints.com
Sat Jan 26 17:10:54 EST 2008


Due to the increased security provided by Vista and Server 2008 and the 
directory shadowing provided by the Wow64 environment, it is no longer 
acceptable to store application configuration files in either \WINDOWS 
or \Program Files directory trees. 

The proper location to store such files is under the \ProgramData 
directory on the boot disk.  For MIT Kerberos the proper path to the 
krb5.ini file should therefore be c:\ProgramData\MIT\Kerberos\krb5.ini.  
This can be configured by defining the environment variable KRB5_CONFIG 
to point at that path.  The Kerberos v4 configuration files use the 
KRB4_CONFIG environment variable to point not at the file but at the 
directory containing the file.

For backward compatibility with previous releases of Windows, the 
\ProgramData directory is a link to "\Documents and Settings\All 
Users\Application Data\".  Hence, it is possible to move the default 
location of the configuration files to "%SystemDrive%\Documents and 
Settings\All Users\Application Data\MIT\Kerberos\" on all supported 
platforms.

Until a future release of KFW incorporates this change, Secure Endpoints 
recommends that users and organizations move their configuration files 
and set the system environment as follows (assuming %SystemDrive% is "C:"):

  KRB5_CONFIG=C:\Documents and Settings\All Users\Application 
Data\MIT\Kerberos\krb5.conf
  KRB4_CONFIG==C:\Documents and Settings\All Users\Application 
Data\MIT\Kerberos

Note that "krb5.ini" has been renamed to "krb5.conf" as on UNIX for two 
reasons.  First, .ini files are treated special by Windows and the 
format of the Kerberos 5 profile file is not a Windows INI file.  
Secondly, using the same name as on UNIX permits easier maintenance and 
documentation when managing deployments for heterogeneous environments.

Jeffrey Altman
Secure Endpoints Inc.


 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080126/2c4c6409/attachment.bin


More information about the Kerberos mailing list