KfW 2.6 vs Windows 2003 Server: question to the community

Paul B. Hill pbh at MIT.EDU
Tue Jan 20 11:53:49 EST 2004

Hi Jeff,

Thanks for the clarification. 

I still feel that the installer should be able to define the two settings,
via an MSI property so that a transform can be used by customer sites to get
the desired behavior. I think that having the installer support the registry
key setting is a higher priority than the ccache type.

I would generally prefer that installers not override the default behavior
of the vendor's configuration unnecessarily. However, I think that so many
users of KfW will expect that the tgt will be successfully imported, the
default behavior should make the registry change. I think this will reslt in
fewer complaints and/or requests for assistance.


-----Original Message-----
From: krbdev-bounces at MIT.EDU [mailto:krbdev-bounces at MIT.EDU] On Behalf Of
Jeffrey Altman
Sent: Tuesday, January 20, 2004 10:23 AM
To: krbdev at mit.edu
Subject: Re: KfW 2.6 vs Windows 2003 Server: question to the community

I do not believe that setting the default ccache to MSLSA: is an option
for 99% of KfW users.   MSLSA: is only an option when the current
logon session is Kerberos authenticated.  MSLSA: is read-only.  Therefore,
if you set the default to MSLSA: then Leash (or other kinit tools) cannot
obtain credentials and store them in the ccache.

I have at least checked XP SP2 and it does not alter the behavior of
the Kerberos LSA with regards to obtaining session keys.

Jeffrey Altman

Paul B. Hill wrote:

>>The question is:  Should the Kerberos for Windows installer set this 
>>parameter as part of the installation procedure on Windows 20003?
>>if you set the ccache to "MSLSA:" then you do not need to perform an
>>importation in order to use the logon credentials.
>It sounds like there are two questions:
>1) What should the default ccache type be?
>2) If the default ccache is not MSLSA, should the registry on Win2k3 be
>modified so that ms2mit and Leash can import the TGT and its session key?
krbdev mailing list             krbdev at mit.edu

More information about the krbdev mailing list