KFW and Vista

Jeffrey Altman jaltman at secure-endpoints.com
Wed Nov 22 18:10:14 EST 2006 

Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
> 
>     Jeffrey> (1) configuration files such a krb5.ini, krb.con,
>     Jeffrey> krbrealm.con etc.  can no longer remain in %WinDir% nor
>     Jeffrey> can they be placed into \Program Files\MIT\Kerberos
> 
>     Jeffrey>     These locations will be virtualized for processes
>     Jeffrey> that are not run with Administrative privileges or for
>     Jeffrey> processes running within the WOW64 environment.  Instead,
>     Jeffrey> Microsoft is recommending that system wide application
>     Jeffrey> configuration files be placed into the "All
>     Jeffrey> User\Application Data\<Company>\<Application>" directory
>     Jeffrey> which will be accessible to all processes.
> 
> What do you mean by virtualized.

Microsoft's use of the word "virtualized" here means that the
application doesn't see the real directory.  Whenever one of the
protected directories (or registry values) is accessed, the application
is given a per user location to access instead.

>     Jeffrey> (4) In order to build with the new MSLSA functionality
>     Jeffrey> that was added to Vista for use with KFW, the Kerberos
>     Jeffrey> libraries must be compiled with the Windows Vista SDK.
>     Jeffrey> There is also a need to use the Vista SDK for
>     Jeffrey> applications that require administrative privileges.
>     Jeffrey> There are several new symbols and functions that will be
>     Jeffrey> required to implement them. This is going to be a problem
>     Jeffrey> in several regards.
> 
>     Jeffrey>     (a) The Windows Vista SDK does not support Windows
>     Jeffrey> 2000.
> 
> If I was going to produce two installers, I'd produce one for W2K and
> one for everything newer.  At that point though I'd ask whether we
> have a requirement to support W2k.

If we build for XP then we don't get to use any of the new features of
Vista that specific to Vista.

As for whether or not Windows 2000 needs to be supported, there are
still some large organizations that I am aware of that standardized on
Windows 2000 and did not adopt XP.  The differences between the two were
not considered significant enough.  Up until this past summer it was
still possible to order new computers with Windows 2000 as an install
option.  So I don't think it is reasonable to stop supporting it.
The differences between 2000 and XP and not so large that there is
anything to be gained by refusing to support it provided that we want to
support XP.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061122/98f6af53/attachment.bin

More information about the krbdev mailing list