KfW 2.6 vs Windows 2003 Server: question to the community

Jeffrey Altman jaltman at columbia.edu
Mon Jan 19 22:27:50 EST 2004

Douglas E. Engert wrote:

>Jeffrey Altman wrote:
>>I would agree except that if you set the ccache to "MSLSA:" then you
>>do not need to perform an importation in order to use the logon
>Well, can one always use the MSLSA: as the cache? Or are there some 
>situations where this can not be done, and the only way
>around is to get the TGT key.   
The MSLSA: ccache is read-only.  Therefore, you can use it as long
as you want to use the principal associated with the logon session.
What you cannot do as long as you have set Leash to use the MSLSA:
ccache is to change principals mid-session.

In KfW 3.0 I hope to have UI support for multiple login identities
of which one would be chosen as the default.  In the meantime,
performing the copy of the credentials from MSLSA: to the default
API:krb5cc is probably the best way to go.

>It soulds like 2003 is trying to improve the security be not allowing
>the TGT key to be handed out to applictions. Is there anyway to 
>treat leash or ms2mit as more trusted then other applications? 
>(Should they be more trusted?) 
An interesting question is "should MIT Kerberos" do the
same thing?  Should we allow the TGT session key to only
be accessible within the Kerberos libraries.  If so and
if we were to enforce that restriction then we might make
the argument that MIT Kerberos should be trusted.  But then
how would MIT Kerberos prove its identity to the LSA to
allow it access to the contents of the TGT session key?

Jeffrey Altman

More information about the krbdev mailing list