KFW and Vista
jaltman at secure-endpoints.com
Tue Nov 21 13:36:29 EST 2006
As I get ready to start working on KFW 3.2 which has as one of its goals
better Vista compatibility and 64-bit support, there are several issues
that will need to be addressed. I want to document them here so that
they won't be a surprise and so that others can provide input.
(1) configuration files such a krb5.ini, krb.con, krbrealm.con etc.
can no longer remain in %WinDir% nor can they be placed into
These locations will be virtualized for processes that are not run
with Administrative privileges or for processes running within the
WOW64 environment. Instead, Microsoft is recommending that
system wide application configuration files be placed into the
"All User\Application Data\<Company>\<Application>" directory which
will be accessible to all processes.
(2) Any operations that require administrative privileges to be
performed will need to be broken out into a separate process space
which will have to obtain administrative privileges via a secure
desktop interaction (if the user has the appropriate privileges.)
This will be an issue for NetIDMgr plug-ins such as the AFS plug-in
which permits the AFS service to be started or stopped. It will
also be an issue for any Kerberos configuration panel that wants
to modify the Local Machine portion of the registry. For example,
to allow capaths or domain to realm mappings to be configured for
The recommended method for adding administrative operations is via
the use of administrative COM objects.
(3) The WinLogon Event Handlers (and GINA) are no longer supported.
This means the recently added Network Provider will not be able
to function in its current mode. The temporary work around is
going to be to use a Logon Script to auto-start NetIDMgr to perform
the tasks that are presently handled via the WinLogon Logon Event.
(4) In order to build with the new MSLSA functionality that was added
to Vista for use with KFW, the Kerberos libraries must be compiled
with the Windows Vista SDK. There is also a need to use the
Vista SDK for applications that require administrative privileges.
There are several new symbols and functions that will be required
to implement them. This is going to be a problem in several regards.
(a) The Windows Vista SDK does not support Windows 2000.
(b) The Windows Vista SDK does not support Visual Studio .NET 2003
(c) Visual Studio 2005 does not build the existing CCAPI
These issues are going to be common for both KFW and OpenAFS. I am
considering a direction which involves treating Vista as a new operating
system platform and providing a separate set of installers that work on
Vista but not previous OSs and modifying the existing installers for
2000, XP, 2003 to refuse to install on Vista once the Vista specific
installers are available.
This would mean producing separate builds with the VS.NET 2003 compiler
for older OSs and VS2005 builds for Vista.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061121/0f39fd24/attachment.bin
More information about the krbdev