Best Practice: Location of Kerberos Configuration Files for use with Vista and Server 2008

Jeffrey Altman jaltman at secure-endpoints.com
Sun Jan 27 12:21:12 EST 2008


Danny Mayer wrote:
> Jeffrey Altman wrote:
>> Due to the increased security provided by Vista and Server 2008 and 
>> the directory shadowing provided by the Wow64 environment, it is no 
>> longer acceptable to store application configuration files in either 
>> \WINDOWS or \Program Files directory trees.
>> The proper location to store such files is under the \ProgramData 
>> directory on the boot disk.  For MIT Kerberos the proper path to the 
>> krb5.ini file should therefore be 
>> c:\ProgramData\MIT\Kerberos\krb5.ini.  This can be configured by 
>> defining the environment variable KRB5_CONFIG to point at that path.  
>> The Kerberos v4 configuration files use the KRB4_CONFIG environment 
>> variable to point not at the file but at the directory containing the 
>> file.
>
> Jeff, it would be better if this were done in the registry rather than 
> an environmental variable. This is especially important with services 
> unless you go in and define a system environmental variable.
>
> Danny
I agree, but KFW 3.2.2 provides no method by which the registry can be 
used to set this information.  Therefore, I have no choice but to 
recommend that the environment variable be used.

Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080127/edc5fa9a/attachment.bin


More information about the Kerberos mailing list