How do I use KfW kinit.exe with respect to the Windows credentials cache?

Matthew M. DeLoera mdeloera at
Tue Jul 28 21:12:00 EDT 2009

Thanks for all the responses. Apologies for not promptly responding.

I see that my idea isn't supported.

I think the complication lies in supporting multiple principals. We have 
a security product that implements a list of 
servers/usernames/passwords, and stores them in a locally encrypted 
file. Our client is available for Windows, Linux, and MacOS.

I'm implementing our KRB and LDAP integration. Naturally, the primary 
thought is Active Directory integration. I'm trying to keep things open 
for more generic KRB and LDAP integration.

In Windows, SSPI gives me an easy path to just push the existing 
username/password/realm that we store in a locally-encrypted file. In a 
KRB-enabled environment I'd like to not have to manage passwords, 
because it seems to violate fundamentals. I don't want to integrate 
directly with MIT KRB, in case we're releasing a DEB for Ubuntu where 
heimdal has already been installed. MacOS is nice enough to pop up a GUI 
dialog that interfaces with their keyring facility. Neither Linux nor 
Windows have that functionality right now.

Of course, this deviates from the fundamental idea of only 
authenticating with a single identity. We're trying to support that 
perhaps you log on to your workstation as a non-admin user, but you 
authenticate to our software as an admin user.

I guess it would be nice if there were integration in KfW with the MS 
credential cache, so that a user could install KfW, kinit as 
appropriate, and then SSPI would be able to reference those credentials, 
so that I wouldn't have to maintain passwords. Ideally, some kind of 
keyring functionality. Similar for Linux.

I'm not an expert on these things, and I don't want to violate any 
fundamental understanding that's really in the best interest. Though, if 
not offensive, I'd love to see the MacOS behavior supported in Windows 
and Linux.

So, I guess this is really a discussion thread. For what it's worth.

- Matthew DeLoera

>> KFW credential caches cannot be used from Microsoft Kerberos SSP
>> applications.
> I thought there was a registry setting to allow that?
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list