How do I use KfW kinit.exe with respect to the Windows credentials cache?
Matthew M. DeLoera
mdeloera at exacq.com
Tue Jul 28 21:12:00 EDT 2009
Thanks for all the responses. Apologies for not promptly responding.
I see that my idea isn't supported.
I think the complication lies in supporting multiple principals. We have
a security product that implements a list of
servers/usernames/passwords, and stores them in a locally encrypted
file. Our client is available for Windows, Linux, and MacOS.
I'm implementing our KRB and LDAP integration. Naturally, the primary
thought is Active Directory integration. I'm trying to keep things open
for more generic KRB and LDAP integration.
In Windows, SSPI gives me an easy path to just push the existing
username/password/realm that we store in a locally-encrypted file. In a
KRB-enabled environment I'd like to not have to manage passwords,
because it seems to violate fundamentals. I don't want to integrate
directly with MIT KRB, in case we're releasing a DEB for Ubuntu where
heimdal has already been installed. MacOS is nice enough to pop up a GUI
dialog that interfaces with their keyring facility. Neither Linux nor
Windows have that functionality right now.
Of course, this deviates from the fundamental idea of only
authenticating with a single identity. We're trying to support that
perhaps you log on to your workstation as a non-admin user, but you
authenticate to our software as an admin user.
I guess it would be nice if there were integration in KfW with the MS
credential cache, so that a user could install KfW, kinit as
appropriate, and then SSPI would be able to reference those credentials,
so that I wouldn't have to maintain passwords. Ideally, some kind of
keyring functionality. Similar for Linux.
I'm not an expert on these things, and I don't want to violate any
fundamental understanding that's really in the best interest. Though, if
not offensive, I'd love to see the MacOS behavior supported in Windows
So, I guess this is really a discussion thread. For what it's worth.
- Matthew DeLoera
>> KFW credential caches cannot be used from Microsoft Kerberos SSP
> I thought there was a registry setting to allow that?
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev