KfW 2.6 vs Windows 2003 Server: question to the community
Paul B. Hill
pbh at MIT.EDU
Tue Jan 20 11:53:49 EST 2004
Thanks for the clarification.
I still feel that the installer should be able to define the two settings,
via an MSI property so that a transform can be used by customer sites to get
the desired behavior. I think that having the installer support the registry
key setting is a higher priority than the ccache type.
I would generally prefer that installers not override the default behavior
of the vendor's configuration unnecessarily. However, I think that so many
users of KfW will expect that the tgt will be successfully imported, the
default behavior should make the registry change. I think this will reslt in
fewer complaints and/or requests for assistance.
From: krbdev-bounces at MIT.EDU [mailto:krbdev-bounces at MIT.EDU] On Behalf Of
Sent: Tuesday, January 20, 2004 10:23 AM
To: krbdev at mit.edu
Subject: Re: KfW 2.6 vs Windows 2003 Server: question to the community
I do not believe that setting the default ccache to MSLSA: is an option
for 99% of KfW users. MSLSA: is only an option when the current
logon session is Kerberos authenticated. MSLSA: is read-only. Therefore,
if you set the default to MSLSA: then Leash (or other kinit tools) cannot
obtain credentials and store them in the ccache.
I have at least checked XP SP2 and it does not alter the behavior of
the Kerberos LSA with regards to obtaining session keys.
Paul B. Hill wrote:
>>The question is: Should the Kerberos for Windows installer set this
>>parameter as part of the installation procedure on Windows 20003?
>>if you set the ccache to "MSLSA:" then you do not need to perform an
>>importation in order to use the logon credentials.
>It sounds like there are two questions:
>1) What should the default ccache type be?
>2) If the default ccache is not MSLSA, should the registry on Win2k3 be
>modified so that ms2mit and Leash can import the TGT and its session key?
krbdev mailing list krbdev at mit.edu
More information about the krbdev