kfw-4.1 is released

Tom Yu tlyu at mit.edu
Fri Jul 1 17:09:59 EDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team is happy to announce the availability of the
kfw-4.1 release. The KfW 4.1 series of releases is based on the MIT krb5
1.13 series of releases, modernizing the support relative to the KfW 4.0
series, which was based on the MIT krb5 1.10 series.

KfW 4.1 is distributed as a Windows Installer MSI file, with both 64-bit
and 32-bit installers available. The MSI installer has been digitally
signed by MIT.

KfW is supported on Windows Vista (SP2 required), Windows 7, Windows 8,
Windows Server 2003, and Windows Server 2008.

MIT Kerberos for Windows 4.1 now available for download from

         http://web.mit.edu/kerberos/dist/index.html

More information about the kfw-4.1 release is at:

        http://web.mit.edu/kerberos/kfw-4.1/kfw-4.1.html

The main MIT Kerberos web page is

         http://web.mit.edu/kerberos/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak. Just as
the Unix krb5 releases have had measures to encourage sites to migrate
away from single-DES cryptosystems since the krb5 1.7 release, KfW 4.1
has a configuration variable that enables "weak" enctypes, defaulting to
"false".

Major changes in 4.1
=====================
These changes may also be found at

    http://web.mit.edu/kerberos/kfw-4.1/kfw-4.1.html

Developer experience:

* KfW now uses the UI compiler uicc.exe, to support the transition from the MFC
ribbon to a native Windows ribbon. The uicc.exe found in Visual Studio 2010
is insufficient; Service Pack 1 is required.

Administrator experience:

* The default realm for KfW can be set in the registry; this setting takes
precedence over the default realm set in krb5.ini.

End-user experience:

* ms2mit.exe behavior has changed to improve the MSLSA: cache experience
  for UAC-restricted login sessions on an AD domain that runs ms2mit.exe
  in login scripts:

  - If the TGT is accessible in the LSA ccache, copy the LSA ccache to
    the API ccache.

  - Set the registry key for the default ccname to "API:" if the copy
    occurred, or to "MSLSA:" if it didn't occur.

* The support for the MSLSA: cache type has been greatly improved, making
better use of the native LSA operations. This should improve the user
experience at elevated UAC levels.

* The Ribbon interface has been switched from the MFC to the native
implementation, improving accessibility for screen-reading software.

* Registry entries are set for the KdcNames of certain Kerberos realms; such
entries are needed for the LSA to retrieve tickets from non-AD realms.

* A message is displayed on successful password change.

* Updates from the 1.11, 1.12, and 1.13 krb5 release notes are also applicable
here.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBAgAGBQJXdtwnAAoJEKMvF/0AVcMF8RMMAK+TWf5A+OJAtYDPckV1TWuG
YU9oH6g03iW7U1fifv+xfNxX0h+m9ftgpP0tKj3/I4zs/V4rboPtM4uB5p8iLiv4
SskburNe4+2VCbhqJ0z+dJauOSqJKCI0HUzKxYMMGPN87Vf9vtlNfOGIr3X0/fEb
AMe3Uxz00ldX3jExVFLIkJW0sxPSDXGVOwga//sKE+IYsfZckaEBwFZSTk9dTHIm
/baPiRDH+j+0rL0JBxCdeXtwWXs6IoRPgWKh4FYtuI1j5GpX8sU8RY5F/bYPJse+
XFjX1r48oc+iRlwhXef6DeL6/iNHPwNfnSSMZuP16tG2hvf+hLEzpAn3gCQHE7Rl
onyOPHqoL0QCP67qfNtI9ic8NOP4GOYRcGsCZapPxlivzGrM73RV4YuNWaaMGPQH
NmhYgSCr71/MkNGcaMwjV+MoTD3XODMi11iRVwlpEBn8E978r5GzUnM2i1fMOo0A
QVVU54vIKCLEllfusjCQqLhiCOZgFhmQp0ywDiuXGg==
=+Ol2
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list