KfW 2.6 vs Windows 2003 Server: question to the community

Paul B. Hill pbh at MIT.EDU
Tue Jan 20 09:44:19 EST 2004

>The question is:  Should the Kerberos for Windows installer set this 
>parameter as part of the installation procedure on Windows 20003?
>if you set the ccache to "MSLSA:" then you do not need to perform an
>importation in order to use the logon credentials.

It sounds like there are two questions:

1) What should the default ccache type be?
2) If the default ccache is not MSLSA, should the registry on Win2k3 be
modified so that ms2mit and Leash can import the TGT and its session key?

I would like the installer to have separate properties so that either
setting can be controlled via a transform. This will give customers the most
flexibility without resorting to creating their own installer or local code
for distribution. 

I don't feel that I am up to speed on all of the potential compatibility
issues that might arise if the default ccache type were MSLSA. In the best
case I believe that the MSLSA ccache type would not work on any pre-windows
2000 OS (i.e. NT 4, 98, ME). I note that MS recently announced an extension
of the deadline for desupport of some of these operating systems to sometime
in 2006. Are there any application compatibility issues on Win2k, XP, and
Win2k3 that should also be considered?

Regarding the registry key on Win2k3, I expect that some future SP or hotfix
might back-port this functionality to XP and possibly Win2k, if that hasn't
already happened. 

Looking at my own local distribution requirements, I would not want the
installer to set the default ccache type to MSLSA before the end of June
2004, but I would want ms2mit and Leash32 to continue to function on post
Win2k systems by default during this same time frame. 


More information about the krbdev mailing list