|
Packit |
fd8b60 |
Building & Running Kerberos 5 on Windows
|
|
Packit |
fd8b60 |
----------------------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This file documents how to build MIT Kerberos for Windows.
|
|
Packit |
fd8b60 |
The MIT Kerberos for Windows distribution contains additional components
|
|
Packit |
fd8b60 |
not present in the Unix krb5 distribution, most notably the
|
|
Packit |
fd8b60 |
MIT Kerberos Ticket Manager application.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To build Kerberos 5 on Windows, you will need the following:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* A version of Visual Studio (at least 2013) which includes the
|
|
Packit |
fd8b60 |
Microsoft Foundation Classes libraries. These instructions will
|
|
Packit |
fd8b60 |
work for Visual Studio 2017 Community or Professional, both of which
|
|
Packit |
fd8b60 |
include the MFC libraries if the "Visual C++ MFC" checkbox is
|
|
Packit |
fd8b60 |
selected after enabling the "Desktop development with C++" workload.
|
|
Packit |
fd8b60 |
If you do not plan to build the graphical ticket manager
|
|
Packit |
fd8b60 |
application, the MFC libraries are not required.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* A version of Perl.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Some common Unix utilities such as sed/awk/cp/cat installed in the
|
|
Packit |
fd8b60 |
command-line path.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* To build an MSI installer, the Windows Installer XML (WiX) toolkit,
|
|
Packit |
fd8b60 |
and to ensure that the HTML Help Compiler (hhc.exe) and the WiX
|
|
Packit |
fd8b60 |
tools are in your command-line path. WiX version 3.11.1 is verified
|
|
Packit |
fd8b60 |
to work with this codebase.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A simple way to get the necessary Unix utilities is to install Git
|
|
Packit |
fd8b60 |
BASH from https://gitforwindows.org and configure it to add the Unix
|
|
Packit |
fd8b60 |
utilities to the command-line path. In some versions of Windows (not
|
|
Packit |
fd8b60 |
the most current versions), the Unix utilities can alternatively be
|
|
Packit |
fd8b60 |
obtained via the Utilities and SDK for UNIX-based Applications, which
|
|
Packit |
fd8b60 |
may be enabled as a Windows feature and then the components installed.
|
|
Packit |
fd8b60 |
Note that the Windows nmake will not find the SUA awk utility in the
|
|
Packit |
fd8b60 |
path unless it is named awk.exe; the permissions on the utility may
|
|
Packit |
fd8b60 |
need correcting if awk.exe is created as a copy of the original awk.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Git BASH contains a version of Perl, which will work to build krb5 if
|
|
Packit |
fd8b60 |
the newlines in the source tree are not translated to native newlines.
|
|
Packit |
fd8b60 |
Strawberry Perl will work regardless of whether newlines are
|
|
Packit |
fd8b60 |
translated. If both Git BASH and Strawberry Perl are installed, you
|
|
Packit |
fd8b60 |
may need to adjust the command line path to ensure that the preferred
|
|
Packit |
fd8b60 |
Perl appears first.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The krb5 source tree may be obtained either directly on the Windows
|
|
Packit |
fd8b60 |
machine with a native git client cloning the krb5 public mirror at
|
|
Packit |
fd8b60 |
https://github.com/krb5/krb5.git or on a separate (Unix) machine and
|
|
Packit |
fd8b60 |
copied over, such as from a VM host onto a Windows VM. If you are
|
|
Packit |
fd8b60 |
checking out the sources with git and are using the Git BASH Perl,
|
|
Packit |
fd8b60 |
make sure to set git's core.autocrlf variable to "input" or "false" to
|
|
Packit |
fd8b60 |
avoid translating newlines.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After Visual Studio is installed, you should be able to invoke 32-bit
|
|
Packit |
fd8b60 |
and 64-bit command prompts via the start menu (Visual Studio 2017 ->
|
|
Packit |
fd8b60 |
x86 Native Tools Command Prompt and x64 Native Tools Command Prompt).
|
|
Packit |
fd8b60 |
At the current time, Kerberos 5 can only be built for the x64 target
|
|
Packit |
fd8b60 |
if the host platform is also 64-bit, because it compiles and runs
|
|
Packit |
fd8b60 |
programs during the build.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
IMPORTANT NOTE: By default, the sources are built with debug
|
|
Packit |
fd8b60 |
information and linked against the debug version of the Microsoft C
|
|
Packit |
fd8b60 |
Runtime library, which is not found on most Windows systems unless
|
|
Packit |
fd8b60 |
they have development tools, and requires a separate license to
|
|
Packit |
fd8b60 |
distribute. To build a release version, you need to define NODEBUG
|
|
Packit |
fd8b60 |
either in the environment or the nmake command-line. Debug
|
|
Packit |
fd8b60 |
information in the compiled binaries and libraries may be retained by
|
|
Packit |
fd8b60 |
defining DEBUG_SYMBOL in the environment or on the nmake command line.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Building the code and installer:
|
|
Packit |
fd8b60 |
-------------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
First, make sure you have sed, (g)awk, cat, and cp.
|
|
Packit |
fd8b60 |
You must also define KRB_INSTALL_DIR either in the environment or
|
|
Packit |
fd8b60 |
on the command line (for nmake install). If you are proceeding to build
|
|
Packit |
fd8b60 |
the MSI installer, this directory should be a temporary staging area in or
|
|
Packit |
fd8b60 |
near your build tree. The directory must exist before nmake install
|
|
Packit |
fd8b60 |
is run. The 64-bit installer provides 32-bit libraries, so a 32-bit build
|
|
Packit |
fd8b60 |
and install must be performed before the 64-bit build.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To skip building the graphical ticket manager, run "set NO_LEASH=1"
|
|
Packit |
fd8b60 |
before building, and do not build the installers.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In a 32-bit command shell:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
1) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives
|
|
Packit |
fd8b60 |
2) cd xxx\src # Go to where source lives
|
|
Packit |
fd8b60 |
3) nmake -f Makefile.in prep-windows # Create Makefile for Windows
|
|
Packit |
fd8b60 |
4) nmake [NODEBUG=1] # Build the sources
|
|
Packit |
fd8b60 |
5) nmake install [NODEBUG=1] # Copy headers, libs, executables
|
|
Packit |
fd8b60 |
6) cd windows\installer\wix # Go to where the installer source is
|
|
Packit |
fd8b60 |
7) nmake [NODEBUG=1] # Build the installer
|
|
Packit |
fd8b60 |
8) rename kfw.msi kfw32.msi # Save the 32-bit installer
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In a 64-bit command shell:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
9) set PATH=%PATH%;"%WindowsSdkVerBinPath%"\x86 # To get uicc.exe
|
|
Packit |
fd8b60 |
10) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives
|
|
Packit |
fd8b60 |
11) cd xxx\src # Go to where source lives
|
|
Packit |
fd8b60 |
12) nmake clean # Clean up the 32-bit objects
|
|
Packit |
fd8b60 |
13) nmake [NODEBUG=1] # Build the sources for 64-bit
|
|
Packit |
fd8b60 |
14) nmake install [NODEBUG=1] # Copy 64-bit lib/executables
|
|
Packit |
fd8b60 |
15) cd windows\installer\wix # Back to the installer source
|
|
Packit |
fd8b60 |
16) nmake clean # Remove 32-bit leavings
|
|
Packit |
fd8b60 |
17) nmake [NODEBUG=1] # Build the 64-bit installer
|
|
Packit |
fd8b60 |
18) rename kfw.msi kfw64.msi # And name it usefully
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Step 9 may be skipped if uicc is already in the command-line path (try
|
|
Packit |
fd8b60 |
running "uicc" to see if you get a usage message or a not-found
|
|
Packit |
fd8b60 |
error), or if you are not building the graphical ticket manager.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Visual Studio 2013 and 2015 provide only a single command prompt.
|
|
Packit |
fd8b60 |
Within this prompt, use "vcvarsall.bat x86" and "vcvarsall.bat amd64"
|
|
Packit |
fd8b60 |
to switch to 32-bit and 64-bit mode.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Running Kerberos 5 Apps:
|
|
Packit |
fd8b60 |
-----------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Make sure you have a valid krb5.ini file.
|
|
Packit |
fd8b60 |
By default, an empty krb5.ini is installed in CSIDL_COMMON_APPDATA
|
|
Packit |
fd8b60 |
(that is, %SystemDrive%\ProgramData\MIT\Kerberos5\ on newer-than-XP).
|
|
Packit |
fd8b60 |
(ProgramData is a hidden folder.) You may need to customize it with
|
|
Packit |
fd8b60 |
settings for your site, but since DNS lookups are enabled for locating
|
|
Packit |
fd8b60 |
KDCs, many sites will not need further customization. The file format is
|
|
Packit |
fd8b60 |
identical to that of a Unix krb5.conf file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
krb5.ini File:
|
|
Packit |
fd8b60 |
-------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
WARNING: Despite its name, this is not a Windows .ini file.
|
|
Packit |
fd8b60 |
Therefore, do not try to use any .ini tools, including the Windows API
|
|
Packit |
fd8b60 |
or any installer tools to manipulate this file. Its format is subtly
|
|
Packit |
fd8b60 |
different from Windows .ini files!
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Controlling the Kerberos 5 Run-Time Environment:
|
|
Packit |
fd8b60 |
-----------------------------------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Kerberos 5 configuration file and credentials cache can be
|
|
Packit |
fd8b60 |
controlled with environment variables and registry settings. The
|
|
Packit |
fd8b60 |
environment variable for a particular setting always takes precedence.
|
|
Packit |
fd8b60 |
Next in precedence comes the setting in the registry under
|
|
Packit |
fd8b60 |
HKEY_CURRENT_USER\Software\MIT\Kerberos5. Then comes the registry
|
|
Packit |
fd8b60 |
setting under HKEY_LOCAL_MACHINE\Software\MIT\Kerberos5. If none of
|
|
Packit |
fd8b60 |
those are found, a default value is used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Configuration File:
|
|
Packit |
fd8b60 |
- Environment: KRB5_CONFIG
|
|
Packit |
fd8b60 |
- Registry Value: config
|
|
Packit |
fd8b60 |
- Default: looks in the user's AppData directory, the machine's ProgramData
|
|
Packit |
fd8b60 |
directory, krb5_32.dll's dir and Windows directory
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Default Credentials Cache:
|
|
Packit |
fd8b60 |
- Environment: KRB5CCNAME
|
|
Packit |
fd8b60 |
- Registry Value: ccname
|
|
Packit |
fd8b60 |
- Default: API:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Credentials Cache:
|
|
Packit |
fd8b60 |
-----------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In addition to standard FILE: (disk file) and MEMORY: (in-process
|
|
Packit |
fd8b60 |
non-shared memory) Windows supports the API: cache type, which is a
|
|
Packit |
fd8b60 |
shared memory cache. Kerberos for Windows also has access to an
|
|
Packit |
fd8b60 |
MSLSA: cache type, which directly accesses the Microsoft Kerberos
|
|
Packit |
fd8b60 |
Logon Session credentials cache. The MSLSA: cache is available when the
|
|
Packit |
fd8b60 |
user logon is performed using Kerberos either to an Active Directory Domain
|
|
Packit |
fd8b60 |
or a non-Microsoft KDC; the ms2mit and mit2ms utilities can also be used
|
|
Packit |
fd8b60 |
to interact with it, though there are some limitations.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
A user is able to logon to Windows using the Kerberos LSA if the machine
|
|
Packit |
fd8b60 |
is part of a Windows Active Directory domain or if the machine has been
|
|
Packit |
fd8b60 |
configured to authenticate to a non-Microsoft KDC such as MIT.
|
|
Packit |
fd8b60 |
The instructions for configuring a Windows 2000 XP workstation to
|
|
Packit |
fd8b60 |
authenticate to a non-Microsoft KDC are documented in TechNet somewhere.
|
|
Packit |
fd8b60 |
In brief:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
1. Install the Windows support tools in order to obtain KSETUP.EXE
|
|
Packit |
fd8b60 |
and KTPASS.EXE.
|
|
Packit |
fd8b60 |
2. Install the Windows Resource Kit to obtain KERBTRAY.EXE and KLIST.EXE
|
|
Packit |
fd8b60 |
3. Add Realms and associated KDCs with: *KSETUP /AddKdc <realm>
|
|
Packit |
fd8b60 |
[<kdcname>]*. If you leave off the <kdcname> DNS SRV records will
|
|
Packit |
fd8b60 |
be used.
|
|
Packit |
fd8b60 |
4. Specify the password change service host for the realm with:
|
|
Packit |
fd8b60 |
*KSETUP /AddKpasswd <realm> <Kpwdhost>*
|
|
Packit |
fd8b60 |
5. Assign the realm of the local machine with: *KSETUP /SetRealm
|
|
Packit |
fd8b60 |
<realm>* where realm must be all upper case.
|
|
Packit |
fd8b60 |
6. Assign the local machine's password with: *KSETUP
|
|
Packit |
fd8b60 |
/SetComputerPassword <Password>
|
|
Packit |
fd8b60 |
*
|
|
Packit |
fd8b60 |
7. Specify the capabilities of the Realm KDC with: *KSETUP
|
|
Packit |
fd8b60 |
/SetRealmFlags <realm> <flag> [<flag> ...]* where flags may be
|
|
Packit |
fd8b60 |
*None, SendAddress, TcpSupported, Delegate, *and *NcSupported*,
|
|
Packit |
fd8b60 |
8. Map principal names to local accounts with: *KSETUP /MapUser
|
|
Packit |
fd8b60 |
<principal> <account>*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
On the MIT KDC, you must then create service principals using the "Password"
|
|
Packit |
fd8b60 |
assigned to the machine. So far the minimum list of principals required appear
|
|
Packit |
fd8b60 |
to be for a machine named "mymachine" in the realm "EXAMPLE.COM" with a
|
|
Packit |
fd8b60 |
domain name of "example.com":
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* host/mymachine@EXAMPLE.COM
|
|
Packit |
fd8b60 |
* host/mymachine.example.com@EXAMPLE.COM
|
|
Packit |
fd8b60 |
* cifs/mymachine@EXAMPLE.COM
|
|
Packit |
fd8b60 |
* cifs/mymachine.example.com@EXAMPLE.COM
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
There may very well be other services for which principals must be created depending
|
|
Packit |
fd8b60 |
on what services are being executed on the machine.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It is very important to note that while you can successfully log into a Windows
|
|
Packit |
fd8b60 |
workstation by authenticating to the KDC without creating a host key; the logon
|
|
Packit |
fd8b60 |
session you receive will not be a Kerberos Logon Session. There will be no Kerberos
|
|
Packit |
fd8b60 |
principal and no LSA cache to access.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The result of a real KSETUP configuration looks like this:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
[C:\4\4NT]ksetup
|
|
Packit |
fd8b60 |
default realm = KRB5.COLUMBIA.EDU (external)
|
|
Packit |
fd8b60 |
ATHENA.MIT.EDU:
|
|
Packit |
fd8b60 |
kdc = kerberos.mit.edu
|
|
Packit |
fd8b60 |
kdc = kerberos-1.mit.edu
|
|
Packit |
fd8b60 |
kdc = kerberos-2.mit.edu
|
|
Packit |
fd8b60 |
kdc = kerberos-3.mit.edu
|
|
Packit |
fd8b60 |
Realm Flags = 0x0 none
|
|
Packit |
fd8b60 |
CC.COLUMBIA.EDU:
|
|
Packit |
fd8b60 |
kdc = kerberos.cc.columbia.edu
|
|
Packit |
fd8b60 |
Realm Flags = 0x0 none
|
|
Packit |
fd8b60 |
GRAND.CENTRAL.ORG:
|
|
Packit |
fd8b60 |
kdc = penn.central.org
|
|
Packit |
fd8b60 |
kdc = grand-opening.mit.edu
|
|
Packit |
fd8b60 |
Realm Flags = 0x0 none
|
|
Packit |
fd8b60 |
KRB5.COLUMBIA.EDU:
|
|
Packit |
fd8b60 |
kdc = yclept.kermit.columbia.edu
|
|
Packit |
fd8b60 |
Realm Flags = 0x0 none
|
|
Packit |
fd8b60 |
OPENAFS.ORG:
|
|
Packit |
fd8b60 |
kdc = virtue.openafs.org
|
|
Packit |
fd8b60 |
Realm Flags = 0x0 none
|
|
Packit |
fd8b60 |
Mapping jaltman@KRB5.COLUMBIA.EDU to jaltman.
|
|
Packit |
fd8b60 |
Mapping jaltman@CC.COLUMBIA.EDU to jaltman.
|
|
Packit |
fd8b60 |
Mapping jaltman@ATHENA.MIT.EDU to jaltman.
|
|
Packit |
fd8b60 |
Mapping all users (*) to a local account by the same name (*).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The MSLSA: credential cache relies on the ability to extract the entire
|
|
Packit |
fd8b60 |
Kerberos ticket including the session key from the Kerberos LSA. In an
|
|
Packit |
fd8b60 |
attempt to increase security Microsoft has begun to implement a feature
|
|
Packit |
fd8b60 |
by which they no longer export the session keys for Ticket Getting Tickets.
|
|
Packit |
fd8b60 |
This has the side effect of making them useless to the MIT krb5 library
|
|
Packit |
fd8b60 |
when attempting to request additional service tickets.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This new feature has been seen in Windows 2003 Server, Windows 2000 Server SP4,
|
|
Packit |
fd8b60 |
and Windows XP SP2. We assume that it will be implemented in all future
|
|
Packit |
fd8b60 |
Microsoft operating systems supporting the Kerberos SSPI. Microsoft does work
|
|
Packit |
fd8b60 |
closely with MIT and has provided a registry key to disable this new feature.
|
|
Packit |
fd8b60 |
On server platforms the key is specified as:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
|
|
Packit |
fd8b60 |
AllowTGTSessionKey = 0x01 (DWORD)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
On workstation platforms the key is specified as:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
|
|
Packit |
fd8b60 |
AllowTGTSessionKey = 0x01 (DWORD)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Kerberos for Windows installer automatically sets this key on installation
|
|
Packit |
fd8b60 |
and unsets it on uninstall, allowing the MSLSA: cache type to be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
It has been noted that the Microsoft Kerberos LSA does not provide enough
|
|
Packit |
fd8b60 |
information within its KERB_EXTERNAL_TICKET structure to properly construct
|
|
Packit |
fd8b60 |
the Client Principal simply by examining a single ticket. From the MSDN
|
|
Packit |
fd8b60 |
Library:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ClientName
|
|
Packit |
fd8b60 |
KERB_EXTERNAL_NAME structure that contains the client name in the ticket.
|
|
Packit |
fd8b60 |
This name is relative to the current domain.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DomainName
|
|
Packit |
fd8b60 |
UNICODE_STRING that contains the name of the domain that corresponds to
|
|
Packit |
fd8b60 |
the ServiceName member. This is the domain that issued the ticket.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
TargetDomainName
|
|
Packit |
fd8b60 |
UNICODE_STRING that contains the name of the domain in which the ticket is
|
|
Packit |
fd8b60 |
valid. For an interdomain ticket, this is the destination domain.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
AltTargetDomainName
|
|
Packit |
fd8b60 |
UNICODE_STRING that contains a synonym for the destination domain. Every
|
|
Packit |
fd8b60 |
domain has two names: a DNS name and a NetBIOS name. If the name returned
|
|
Packit |
fd8b60 |
in the ticket is different from the name used to request the ticket (the
|
|
Packit |
fd8b60 |
Kerberos Key Distribution Center (KDC) may do name mapping), this string
|
|
Packit |
fd8b60 |
contains the original name.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Unfortunately, there is no field here which contains the domain of the client.
|
|
Packit |
fd8b60 |
In order for the krb5_ccache to properly report the client principal name, the
|
|
Packit |
fd8b60 |
client principal name is constructed by utilizing the ClientName and DomainName
|
|
Packit |
fd8b60 |
fields of the Initial TGT associated with the Kerberos LSA credential cache.
|
|
Packit |
fd8b60 |
To disable the use of the TGT info and instead simply use the "DomainName" field
|
|
Packit |
fd8b60 |
of the current ticket define one of the following registry keys depending on
|
|
Packit |
fd8b60 |
whether the change should be system global or just for the current user.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HKLM\Software\MIT\Kerberos5\
|
|
Packit |
fd8b60 |
PreserveInitialTicketIdentity = 0x0 (DWORD)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HKCU\Software\MIT\Kerberos5\
|
|
Packit |
fd8b60 |
PreserveInitialTicketIdentity = 0x0 (DWORD)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
GSSAPI Sample Client:
|
|
Packit |
fd8b60 |
---------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The GSS API Sample Client provided in this distribution is compatible with the
|
|
Packit |
fd8b60 |
gss-server application built on Unix/Linux systems. This client is not compatible
|
|
Packit |
fd8b60 |
with the Platform SDK/Samples/Security/SSPI/GSS/ samples which Microsoft has been
|
|
Packit |
fd8b60 |
shipping as of January 2004. Revised versions of these samples are available upon
|
|
Packit |
fd8b60 |
request to krbdev@mit.edu.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
More Information:
|
|
Packit |
fd8b60 |
----------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
For more information, please read the Kerberos 5 documentation in
|
|
Packit |
fd8b60 |
the doc directory of the distribution.
|