Windows Auto-auth

Marc Reyhner marc at
Fri Jan 17 00:03:01 EST 2003

The Stanford Kerberos client currently does the approach of using a
network provider dll and then creating a script to run on session
startup containing the username/password of the user in the command line
arguments.  It's a horrible idea from a security perspective (don't
blame me it wasn't my idea :-) ) since getting command line arguments is
trivial if you are an admin.  Windows doesn't think the scripts contain
sensitive information so I don't think it does anything really to
protect the scripts and wipe memory.  The only redeeming point of this
approach is I don't think you can get the password without being an
admin.  The way you are working on sounds like a lot better approach
since you can protect the password better.  Ideally I'd like to see a
system service like the LSA which would centrally manage the tickets so
impersonation worked correctly and system services could read/write the
ticket cache.


-----Original Message-----
From: Ben Creech [mailto:bpcreech at] 
Sent: Wednesday, January 15, 2003 8:35 PM
To: krbdev at
Subject: Windows Auto-auth

Has anyone worked on auto-auth on Windows recently?  I'm just wondering
what experiences other people have had with this.  Specifically, the
kind of auto-auth to which I'm referring grabs the Windows login
password and uses it to grab a Kerberos tgt and various sgt's (most
importantly for AFS).  This way users have the access they need as soon
as the machine finishes logging in, providing a sort of "single

Currently I'm working on a project that uses a network provider dll and
a Windows service to hold tickets until the user has a desktop in which
for krbcc32s.exe to reside.  

Formerly, NCSU had a custom gina, but it was a pain to support, partly 
because it had to also implement the functionality of the NetWare gina, 
partly because it was written in NT4 days when (from what I understand)
Microsoft was changing the gina specs frequently, and partly because
things can go horribly wrong when the gina screws up.

Again, I'm just wondering if anyone else is working on or has
implemented some manner of Windows auto-auth (preferably one that
doesn't get the tickets from an AD server and ms2mit them).

More information about the krbdev mailing list