KFW and Vista
hartmans at MIT.EDU
Thu Nov 23 07:11:44 EST 2006
>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
Jeffrey> Sam Hartman wrote:
>>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com>
Jeffrey> (1) configuration files such a krb5.ini, krb.con,
Jeffrey> krbrealm.con etc. can no longer remain in %WinDir% nor
Jeffrey> can they be placed into \Program Files\MIT\Kerberos
Jeffrey> These locations will be virtualized for processes that
Jeffrey> are not run with Administrative privileges or for
Jeffrey> processes running within the WOW64 environment. Instead,
Jeffrey> Microsoft is recommending that system wide application
Jeffrey> configuration files be placed into the "All
Jeffrey> User\Application Data\<Company>\<Application>" directory
Jeffrey> which will be accessible to all processes.
>> What do you mean by virtualized.
Jeffrey> Microsoft's use of the word "virtualized" here means that
Jeffrey> the application doesn't see the real directory. Whenever
Jeffrey> one of the protected directories (or registry values) is
Jeffrey> accessed, the application is given a per user location to
Jeffrey> access instead.
Why isn't this what we want?
Jeffrey> (4) In order to build with the new MSLSA functionality
Jeffrey> that was added to Vista for use with KFW, the Kerberos
Jeffrey> libraries must be compiled with the Windows Vista SDK.
Jeffrey> There is also a need to use the Vista SDK for
Jeffrey> applications that require administrative privileges.
Jeffrey> There are several new symbols and functions that will be
Jeffrey> required to implement them. This is going to be a problem
Jeffrey> in several regards.
Jeffrey> (a) The Windows Vista SDK does not support Windows 2000.
>> If I was going to produce two installers, I'd produce one for
>> W2K and one for everything newer. At that point though I'd ask
>> whether we have a requirement to support W2k.
Jeffrey> If we build for XP then we don't get to use any of the
Jeffrey> new features of Vista that specific to Vista.
I don't understand why that's true. We can use the Vista SDK to build
for XP, right? And only use features if they are present on the
current system. Don't we do this already for some MSLSA extensions?
More information about the krbdev