How do I use KfW kinit.exe with respect to the Windows credentials cache?

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jul 29 09:19:23 EDT 2009 

Matthew M. DeLoera wrote:
> Thanks for all the responses. Apologies for not promptly responding.
> 
> I see that my idea isn't supported.
> 
> I think the complication lies in supporting multiple principals. We have 
> a security product that implements a list of 
> servers/usernames/passwords, and stores them in a locally encrypted 
> file. Our client is available for Windows, Linux, and MacOS.

Microsoft has a strong desire to protect all security keys within the
kernel.  As a result they do not want third party credential managers
caching passwords.  Microsoft provides the CredMan API for storing
identities and associated secrets.  The API is much more functional on
Vista and Win7 than on XP.  Of course, its adoption is significantly
limited by the fact that 86% of deployed machines in enterprise
environments are still XP.  (Quoting a recent article on CNET)

> I'm implementing our KRB and LDAP integration. Naturally, the primary 
> thought is Active Directory integration. I'm trying to keep things open 
> for more generic KRB and LDAP integration.
> 
> In Windows, SSPI gives me an easy path to just push the existing 
> username/password/realm that we store in a locally-encrypted file. In a 
> KRB-enabled environment I'd like to not have to manage passwords, 
> because it seems to violate fundamentals. I don't want to integrate 
> directly with MIT KRB, in case we're releasing a DEB for Ubuntu where 
> heimdal has already been installed. MacOS is nice enough to pop up a GUI 
> dialog that interfaces with their keyring facility. Neither Linux nor 
> Windows have that functionality right now.

There is no need to integrate with MIT Kerberos.  If the credentials are
available in the LSA, then MIT Kerberos can make use of them.

> Of course, this deviates from the fundamental idea of only 
> authenticating with a single identity. We're trying to support that 
> perhaps you log on to your workstation as a non-admin user, but you 
> authenticate to our software as an admin user.

Microsoft has one identity per logon session.  If you want to use a
second identity from the same desktop, start a new session using the new
identity.

> I guess it would be nice if there were integration in KfW with the MS 
> credential cache, so that a user could install KfW, kinit as 
> appropriate, and then SSPI would be able to reference those credentials, 
> so that I wouldn't have to maintain passwords. Ideally, some kind of 
> keyring functionality. Similar for Linux.

kinit is not the tool that you want to be using on Windows. It is
specific to the MIT Kerberos libraries.  You want to use Microsoft
provided APIs.

Jeffrey Altman

More information about the krbdev mailing list