Feedback on KfW 4.0.1 Ticket Manager app

Jeffrey Altman jaltman at secure-endpoints.com
Thu Jul 3 00:18:07 EDT 2014


On 7/2/2014 1:03 PM, Dave Botsch wrote:
> Also, being able to auto obtain afs tokens as a side effect of getting
> kerberos tickets would be really useful. Users have a hard time
> distinguishing Kerberos Tickets from AFS Tokens, and so users need one
> app that does both at the click of a single button.

The reason that Network Identity Manager replaced Leash32 (now Ticket
Manager) in KFW 3.x was due to the desire to support the acquisition of
AFS tokens (or other credentials like kx509 short lived certificates) as
a side effect of TGT acquisition.  It is not reasonable for KFW to have
built-in AFS token support because that requires a dependency on OpenAFS
whereas OpenAFS has a dependency on KFW.

The solution was to create a credential management framework that was
credential type agnostic which relied on a combination of identity
provider dlls and credential provider dlls.  These dlls can be developed
independently and combined at run-time.   Thereby enabling the various
development organizations to maintain their own independent release
schedules.  And providing third-parties the ability to enhance the
end-user functionality without requiring MIT or OpenAFS or OpenSSL to be
involved in the generation of new provider dlls.

Jeffrey Altman





More information about the Kerberos mailing list