KfW 2.6 vs Windows 2003 Server: question to the community

Jeffrey Altman jaltman at columbia.edu
Wed Jan 21 10:32:53 EST 2004

response in-line:

Sam Hartman wrote:

>>>>>>"Jeffrey" == Jeffrey Altman <jaltman at columbia.edu> writes:
>    Jeffrey> The question is: Should the Kerberos for Windows
>    Jeffrey> installer set this parameter as part of the installation
>    Jeffrey> procedure on Windows 20003? 
>Yes, by default I think this key should be set by the installer.  I
>believe that the installer SDK should make this behavior optional but
>I believe we should not expose the option of whether to change this
>registry key to the user in the installer we provide.  I suspect that
>installer probably already has enough options.
As of the Beta 3 build (not yet shipping) the keys used for
Win2003 and Win XP SP2 will be set.  The installer will have
an option for building without these keys but I am not
activating it.

>    Jeffrey> If it is not set, should
>    Jeffrey> ms2mit.exe and Leash generate an error instead of
>    Jeffrey> performing the ticket importation?
>Do you still get session keys for non-TGTs?  If so, then the ccache
>implementation should allow importing these tickets buth not TGTs.
Session keys are provided for all tickets which are not TGTs.

You are therefore suggesting that if the session key type
is NULL, then the MSLSA ccache should behave as if the ticket
did not exist. 

>Leash should not generate an error for automatic ticket imports.
Certainly not for automatic imports, but what about when the
user manually imports tickets?

I believe that if the session keys for TGTs cannot be obtained
that the "import" function should be disabled just as it is
if the current Windows logon session is not authenticated with

Do you concur?

Jeffrey Altman

More information about the krbdev mailing list