KFW and Vista

Jeffrey Altman jaltman at secure-endpoints.com
Tue Nov 21 13:36:29 EST 2006

As I get ready to start working on KFW 3.2 which has as one of its goals
better Vista compatibility and 64-bit support, there are several issues
that will need to be addressed.  I want to document them here so that
they won't be a surprise and so that others can provide input.

(1) configuration files such a krb5.ini, krb.con, krbrealm.con etc.
    can no longer remain in %WinDir% nor can they be placed into
    \Program Files\MIT\Kerberos

    These locations will be virtualized for processes that are not run
    with Administrative privileges or for processes running within the
    WOW64 environment.  Instead, Microsoft is recommending that
    system wide application configuration files be placed into the
    "All User\Application Data\<Company>\<Application>" directory which
    will be accessible to all processes.

(2) Any operations that require administrative privileges to be
    performed will need to be broken out into a separate process space
    which will have to obtain administrative privileges via a secure
    desktop interaction (if the user has the appropriate privileges.)
    This will be an issue for NetIDMgr plug-ins such as the AFS plug-in
    which permits the AFS service to be started or stopped.  It will
    also be an issue for any Kerberos configuration panel that wants
    to modify the Local Machine portion of the registry.  For example,
    to allow capaths or domain to realm mappings to be configured for

    The recommended method for adding administrative operations is via
    the use of administrative COM objects.

(3) The WinLogon Event Handlers (and GINA) are no longer supported.
    This means the recently added Network Provider will not be able
    to function in its current mode.  The temporary work around is
    going to be to use a Logon Script to auto-start NetIDMgr to perform
    the tasks that are presently handled via the WinLogon Logon Event.

(4) In order to build with the new MSLSA functionality that was added
    to Vista for use with KFW, the Kerberos libraries must be compiled
    with the Windows Vista SDK.  There is also a need to use the
    Vista SDK for applications that require administrative privileges.
    There are several new symbols and functions that will be required
    to implement them. This is going to be a problem in several regards.

    (a) The Windows Vista SDK does not support Windows 2000.

    (b) The Windows Vista SDK does not support Visual Studio .NET 2003

    (c) Visual Studio 2005 does not build the existing CCAPI

These issues are going to be common for both KFW and OpenAFS.  I am
considering a direction which involves treating Vista as a new operating
system platform and providing a separate set of installers that work on
Vista but not previous OSs and modifying the existing installers for
2000, XP, 2003 to refuse to install on Vista once the Vista specific
installers are available.

This would mean producing separate builds with the VS.NET 2003 compiler
for older OSs and VS2005 builds for Vista.


Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061121/0f39fd24/attachment.bin

More information about the krbdev mailing list