KFW and Vista

Sam Hartman hartmans at MIT.EDU
Thu Nov 23 07:11:44 EST 2006

>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:

    Jeffrey> Sam Hartman wrote:
    >>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com>
    >>>>>>> writes:
    Jeffrey> (1) configuration files such a krb5.ini, krb.con,
    Jeffrey> krbrealm.con etc.  can no longer remain in %WinDir% nor
    Jeffrey> can they be placed into \Program Files\MIT\Kerberos
    Jeffrey> These locations will be virtualized for processes that
    Jeffrey> are not run with Administrative privileges or for
    Jeffrey> processes running within the WOW64 environment.  Instead,
    Jeffrey> Microsoft is recommending that system wide application
    Jeffrey> configuration files be placed into the "All
    Jeffrey> User\Application Data\<Company>\<Application>" directory
    Jeffrey> which will be accessible to all processes.
    >>  What do you mean by virtualized.

    Jeffrey> Microsoft's use of the word "virtualized" here means that
    Jeffrey> the application doesn't see the real directory.  Whenever
    Jeffrey> one of the protected directories (or registry values) is
    Jeffrey> accessed, the application is given a per user location to
    Jeffrey> access instead.

Why isn't this what we want?

    Jeffrey> (4) In order to build with the new MSLSA functionality
    Jeffrey> that was added to Vista for use with KFW, the Kerberos
    Jeffrey> libraries must be compiled with the Windows Vista SDK.
    Jeffrey> There is also a need to use the Vista SDK for
    Jeffrey> applications that require administrative privileges.
    Jeffrey> There are several new symbols and functions that will be
    Jeffrey> required to implement them. This is going to be a problem
    Jeffrey> in several regards.
    Jeffrey> (a) The Windows Vista SDK does not support Windows 2000.
    >>  If I was going to produce two installers, I'd produce one for
    >> W2K and one for everything newer.  At that point though I'd ask
    >> whether we have a requirement to support W2k.

    Jeffrey> If we build for XP then we don't get to use any of the
    Jeffrey> new features of Vista that specific to Vista.

I don't understand why that's true.  We can use the Vista SDK to build
for XP, right?  And only use features if they are present on the
current system.  Don't we do this already for some MSLSA extensions?


More information about the krbdev mailing list