KfW 4.x (was Re: Windows KDC - Delegation Option)

Benjamin Kaduk kaduk at MIT.EDU
Sat Apr 26 15:37:35 EDT 2014


Hi Ben,

On Fri, 25 Apr 2014, Ben H wrote:

> That's interesting - thank you.  I was able to actually validate what you
> stated by installing MIT Kerberos on my Window system and then configuring
> Putty's GSSAPI option to use the MIT GSSAPI libraries as preference.
> My first attempt with kfw-4.0.1 was unsuccessful and I suspect it has to do
> with how 4.01 integrates into the Windows LSA cache - I didn't seem able to
> separate my Windows tickets from the MIT ones (init/destroy in one location
> reflected in the other).  I suspect I may have been able to find a way to
> configure it, but 4.01 seems very turnkey and I couldn't quickly find some
> way to customize this behavior.

The intention behind the KfW 4.0 GUI is that people using it would only be 
using the API: credentials cache type, and would probably not be 
interacting with the native Windows LSA cache (the MSLSA: cache type as 
exposed by KfW).  As such, the GUI does not offer a way to change what 
cache will be used for new tickets obtained using the GUI; they will be 
placed into the default cache.  Since the API cache is collection-enabled, 
it is possibl to have credentials for multiple principals present, and 
they will be displayed in the ticket list.  Since the LSA cache only 
supports having one identity at a time, if the default cache is MSLSA:, 
the new ticket will overwrite any preexisting ones.

I'm not sure how your system ended up in a state where the MSLSA: cache 
was the default (there is a registry key to control this), but using the 
KfW-provided kinit.exe and klist.exe can help understand what's going 
on: klist AA will show what cache type is in use, and "kinit -c API: 
<principal>" will create an API: cache, viewable from the GUI, which can 
be made default therein.

We have had a couple of reports that the lack of visibility into the 
default cache type can be confusing, and the upcoming 4.1 release should 
include some functionality to help in this situation.  I haven't decided 
what exactly that will look like, though -- do you have a preference among 
(1) another checkbox/display column for the cache name, (2) an option for 
cache type in the "get ticket" window, (3) a warning when new tickets will 
us the LSA cache, or (4) something else?

We really do appreciate getting feedback about the KfW 4.0 series.

Thanks,

Ben


More information about the Kerberos mailing list