Best Practice: Location of Kerberos Configuration Files for use with Vista and Server 2008
Jeffrey Altman
jaltman at secure-endpoints.com
Sun Jan 27 12:21:12 EST 2008
Danny Mayer wrote:
> Jeffrey Altman wrote:
>> Due to the increased security provided by Vista and Server 2008 and
>> the directory shadowing provided by the Wow64 environment, it is no
>> longer acceptable to store application configuration files in either
>> \WINDOWS or \Program Files directory trees.
>> The proper location to store such files is under the \ProgramData
>> directory on the boot disk. For MIT Kerberos the proper path to the
>> krb5.ini file should therefore be
>> c:\ProgramData\MIT\Kerberos\krb5.ini. This can be configured by
>> defining the environment variable KRB5_CONFIG to point at that path.
>> The Kerberos v4 configuration files use the KRB4_CONFIG environment
>> variable to point not at the file but at the directory containing the
>> file.
>
> Jeff, it would be better if this were done in the registry rather than
> an environmental variable. This is especially important with services
> unless you go in and define a system environmental variable.
>
> Danny
I agree, but KFW 3.2.2 provides no method by which the registry can be
used to set this information. Therefore, I have no choice but to
recommend that the environment variable be used.
Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080127/edc5fa9a/attachment.bin
More information about the Kerberos
mailing list