|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Kerberos for Windows
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
MSI Deployment Guide
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Contents
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1. Introduction
|
|
Packit Service |
99d1c0 |
1.1 Requirements
|
|
Packit Service |
99d1c0 |
1.2 Authoring a Transform
|
|
Packit Service |
99d1c0 |
2. Configuration Options
|
|
Packit Service |
99d1c0 |
2.1 Configurable Properties
|
|
Packit Service |
99d1c0 |
2.1.1 Setting Properties
|
|
Packit Service |
99d1c0 |
2.1.2 Leash GUI Properties
|
|
Packit Service |
99d1c0 |
2.1.3 Leash DLL Properties
|
|
Packit Service |
99d1c0 |
2.1.4 Kerberos IV Properties
|
|
Packit Service |
99d1c0 |
2.1.5 Kerberos V Properties
|
|
Packit Service |
99d1c0 |
2.2 Existing Registry Entries
|
|
Packit Service |
99d1c0 |
2.3 Replacing Configuration Files
|
|
Packit Service |
99d1c0 |
3. Network Identity Manager Settings
|
|
Packit Service |
99d1c0 |
3.1 Common Settings for NetIDMgr
|
|
Packit Service |
99d1c0 |
3.1.1 General Settings
|
|
Packit Service |
99d1c0 |
3.1.2 Common Plug-in Settings
|
|
Packit Service |
99d1c0 |
3.1.3 Settings for the Kerberos 5 Credentials Provider Plug-in
|
|
Packit Service |
99d1c0 |
3.1.4 Settings for the kerberos 4 Credentials Provider Plug-in
|
|
Packit Service |
99d1c0 |
4. Additional Resources
|
|
Packit Service |
99d1c0 |
5. Upgrades
|
|
Packit Service |
99d1c0 |
6. FAQ
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1. Introduction
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Beginning with "Kerberos for Windows" version 2.6.5, a MSI installer
|
|
Packit Service |
99d1c0 |
option is available for those who wish to use "Windows Installer"
|
|
Packit Service |
99d1c0 |
for installing Kerberos and for organizations that wish to deploy
|
|
Packit Service |
99d1c0 |
Kerberos through Group Policy.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
This document provides a guide for authoring transforms used to
|
|
Packit Service |
99d1c0 |
customize the MSI package for a particular organization. Although
|
|
Packit Service |
99d1c0 |
many settings can be deployed via transforms, in an Active
|
|
Packit Service |
99d1c0 |
Directory environment it is advisable to deploy registry settings
|
|
Packit Service |
99d1c0 |
and configuration files through group policy and/or startup
|
|
Packit Service |
99d1c0 |
scripts so that machines where "Kerberos for Windows" is already
|
|
Packit Service |
99d1c0 |
installed will pick up these customizations.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.1 Requirements
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The information in this document applies to MSI packages
|
|
Packit Service |
99d1c0 |
distributed with "Kerberos for Windows" releases from 2.6.5 and
|
|
Packit Service |
99d1c0 |
onwards or MSI packages built from corresponding source
|
|
Packit Service |
99d1c0 |
releases. Not all releases support all the configuration options
|
|
Packit Service |
99d1c0 |
documented here.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Authoring a "Windows Installer" transform requires additional
|
|
Packit Service |
99d1c0 |
software for editing the MSI database tables and generating the
|
|
Packit Service |
99d1c0 |
transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE
|
|
Packit Service |
99d1c0 |
which are included in the Windows Platform SDK ("Windows Installer"
|
|
Packit Service |
99d1c0 |
SDK) can be used for this purpose.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
For reference, the schema for the MSI package is based on
|
|
Packit Service |
99d1c0 |
SCHEMA.MSI distributed with the Platform SDK.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
For general information about "Windows Installer", refer to :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
For general information about authoring MSI transforms, refer to :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The remainder of this document assumes some familiarity with
|
|
Packit Service |
99d1c0 |
authoring transforms. While the MSDN documentation for Windows
|
|
Packit Service |
99d1c0 |
Installer is a bit dense, it is recommended that you read through
|
|
Packit Service |
99d1c0 |
the guide on MSI transforms found at the second link above. Also
|
|
Packit Service |
99d1c0 |
MSDN includes a step-by-step example for creating a transform at:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.2 Authoring a Transform
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Transforms describe a set of modifications to be performed on an
|
|
Packit Service |
99d1c0 |
existing MSI for the purpose of customizing it. This is
|
|
Packit Service |
99d1c0 |
ordinarily done by making a copy of the MSI to be customized,
|
|
Packit Service |
99d1c0 |
modifying the copy and then using the old and the new MSI to
|
|
Packit Service |
99d1c0 |
generate a transform.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
E.g:
|
|
Packit Service |
99d1c0 |
> copy kfw.msi kfw-modified.msi
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
(edit the kfw-modified.msi to include the necessary changes)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
> msitran -g kfw.msi kfw-modified.msi kfw-transform.mst
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
(generates kfw-transform.mst, which is the transform)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Transforms have an extension of .mst. 'msitran' is a tool
|
|
Packit Service |
99d1c0 |
distributed as part of the "Windows Installer" SDK (which in turn is
|
|
Packit Service |
99d1c0 |
a part of the Windows Platform SDK).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
You can test a transform by :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
> copy kfw.msi kfw-test.msi
|
|
Packit Service |
99d1c0 |
> msitran -a kfw-transform.mst kfw-test.msi
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
and then checking the resulting kfw-test.msi to see if all the
|
|
Packit Service |
99d1c0 |
changes you have made above to kfw-modified.msi is present in
|
|
Packit Service |
99d1c0 |
kfw-test.msi. 'msitran' will complain if some modification in the
|
|
Packit Service |
99d1c0 |
transform can not be successfully applied.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
As mentioned above, you can use a tool like ORCA.EXE to edit the
|
|
Packit Service |
99d1c0 |
MSI databases directly when editing kfw-modified.msi. More
|
|
Packit Service |
99d1c0 |
details are given below.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2. Configuration Options
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The logic necessary to implement all of the settings described in
|
|
Packit Service |
99d1c0 |
the release notes are present in the MSI. Most of these can be
|
|
Packit Service |
99d1c0 |
controlled by setting the corresponding properties to the desired
|
|
Packit Service |
99d1c0 |
value. Some settings may require modifying existing registry
|
|
Packit Service |
99d1c0 |
entries (though not recommended) or adding new resources (like
|
|
Packit Service |
99d1c0 |
files or registry keys). Instructions for performing these tasks
|
|
Packit Service |
99d1c0 |
are below.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1 Configurable Properties
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Most configurable properties correspond to registry keys or
|
|
Packit Service |
99d1c0 |
values. Please refer to the release notes for more information
|
|
Packit Service |
99d1c0 |
about how these registry settings are used.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Due to the logic invoked based on the existence of these registry
|
|
Packit Service |
99d1c0 |
keys or values, they are only set if the associated property is
|
|
Packit Service |
99d1c0 |
defined to have a non null value. If the associated property is
|
|
Packit Service |
99d1c0 |
not defined in the MSI, the registry key or value will not be
|
|
Packit Service |
99d1c0 |
touched. By default, the MSI does not contain these properties
|
|
Packit Service |
99d1c0 |
and hence will not set the registry keys. You will need to add
|
|
Packit Service |
99d1c0 |
properties as needed to the MSI.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
When one of the configurable properties is set, the installer will
|
|
Packit Service |
99d1c0 |
use the property value to set the corresponding setting in the
|
|
Packit Service |
99d1c0 |
HKEY_LOCAL_MACHINE registry hive. HKEY_CURRENT_USER hive is not
|
|
Packit Service |
99d1c0 |
touched by the installer.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
For each property, the associated registry setting is referenced
|
|
Packit Service |
99d1c0 |
by the same text used in the release notes ('Registry and
|
|
Packit Service |
99d1c0 |
Environment Settings' section).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Strings are quoted using single quotes (e.g. 'a string'). An empty
|
|
Packit Service |
99d1c0 |
string is denoted as ''. Note that you can't author null values
|
|
Packit Service |
99d1c0 |
into the 'Property' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Numeric values should be authored as decimal strings.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1.1 Setting Properties
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
In order to set a property,
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
a. Open the MSI in ORCA.EXE
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
b. Select the 'Property' table from the list of tables on the left.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
c. Find the property in the list of properties on the right,
|
|
Packit Service |
99d1c0 |
double click the value and type the new value.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
d. If the property does not exist in the property list, right
|
|
Packit Service |
99d1c0 |
click the list and select 'Add Row', type the property name
|
|
Packit Service |
99d1c0 |
and the desired value.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1.2 Leash GUI properties
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHCREATEMISSINGCONFIG
|
|
Packit Service |
99d1c0 |
Setting: automatic generation of missing configuration files
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHAUTORENEWTICKETS
|
|
Packit Service |
99d1c0 |
Setting: automatic ticket renewal
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHMSLSAIMPORT
|
|
Packit Service |
99d1c0 |
Setting: automatic importation of MSLSA credentials
|
|
Packit Service |
99d1c0 |
Values : '0', '1' or '2'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1.3 Leash32 DLL properties
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHLIFETIME
|
|
Packit Service |
99d1c0 |
Setting: default lifetime (minutes)
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHRENEWTILL
|
|
Packit Service |
99d1c0 |
Setting: default renew till time (minutes)
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHRENEWABLE
|
|
Packit Service |
99d1c0 |
Setting: default renewable tickets setting
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHFORWARDABLE
|
|
Packit Service |
99d1c0 |
Setting: default forwardable tickets setting
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHNOADDRESSES
|
|
Packit Service |
99d1c0 |
Setting: default addressless tickets setting
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHPROXIABLE
|
|
Packit Service |
99d1c0 |
Setting: default proxiable tickets setting
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHPUBLICIP
|
|
Packit Service |
99d1c0 |
Setting: default public ipv4 address
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHHIDEKINITOPTIONS
|
|
Packit Service |
99d1c0 |
Setting: hide advanced kinit options in dialog
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHLIFEMIN
|
|
Packit Service |
99d1c0 |
Setting: minimum kinit dialog lifetime
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHLIFEMAX
|
|
Packit Service |
99d1c0 |
Setting: maximum kinit dialog lifetime
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHRENEWMIN
|
|
Packit Service |
99d1c0 |
Setting: minimum kinit dialog renew till time
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHRENEWMAX
|
|
Packit Service |
99d1c0 |
Setting: maximum kinit dialog renew till time
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHUPPERCASEREALM
|
|
Packit Service |
99d1c0 |
Setting: upper case realm
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHTIMEHOST
|
|
Packit Service |
99d1c0 |
Setting: timesync host
|
|
Packit Service |
99d1c0 |
Values : string
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
LEASHPRESERVEKINITOPTIONS
|
|
Packit Service |
99d1c0 |
Setting: Preserve ticket initialization dialog options
|
|
Packit Service |
99d1c0 |
Values : numeric
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1.4 Kerberos 5 properties
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
KRB5CONFIG
|
|
Packit Service |
99d1c0 |
Setting: location of krb5.ini
|
|
Packit Service |
99d1c0 |
Values : string
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
KRB5CCNAME
|
|
Packit Service |
99d1c0 |
Setting: Default credentials cache name
|
|
Packit Service |
99d1c0 |
Values : string
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
KRB5PRESERVEIDENTITY
|
|
Packit Service |
99d1c0 |
Setting: MSLSA: credential cache client principal identity generation
|
|
Packit Service |
99d1c0 |
Values : '0' or '1'
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.2 Existing Registry Entries
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
You can change existing registry values subject to the
|
|
Packit Service |
99d1c0 |
restrictions mentioned in the Windows Platform SDK. Pay special
|
|
Packit Service |
99d1c0 |
attention to component keypaths and try to only change the 'Value'
|
|
Packit Service |
99d1c0 |
column in the 'Registry' table. If you want to add additional
|
|
Packit Service |
99d1c0 |
registry keys please refer to section 3 (Additional Resources).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.3 Replacing Configuration Files
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The Kerberos configuration files (krb5.ini, krb.con, krbrealm.con)
|
|
Packit Service |
99d1c0 |
can be replaced by your own configuration files. These files are
|
|
Packit Service |
99d1c0 |
contained in separate MSI components so that you can disable them
|
|
Packit Service |
99d1c0 |
individually.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The recommended method for replacing these files is to first
|
|
Packit Service |
99d1c0 |
disable the components containing the configuration files that you
|
|
Packit Service |
99d1c0 |
want to replace, and then add new components for the replacement
|
|
Packit Service |
99d1c0 |
files. This is outlined below (assuming you are using ORCA.EXE to
|
|
Packit Service |
99d1c0 |
author the transform).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that transforms are not a good way to add a new file as an
|
|
Packit Service |
99d1c0 |
embedded stream. The method outlined here places the file in the
|
|
Packit Service |
99d1c0 |
same directory as the MSI for deployment.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The walkthrough below is to add a custom 'krb5.ini' file.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1) Disable the component that contains the configuration file that
|
|
Packit Service |
99d1c0 |
you want to replace.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.1) Locate and select the 'Component' table in the 'Tables'
|
|
Packit Service |
99d1c0 |
list.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.2) In the Component table, locate the component you need to
|
|
Packit Service |
99d1c0 |
change ( Ctrl-F invokes the 'Find' dialog). The component
|
|
Packit Service |
99d1c0 |
names are listed below in section 2.3.1. For this
|
|
Packit Service |
99d1c0 |
example, the component name is 'cmf_krb5_ini'.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.3) Go to the 'Condition' column of the component.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1.4) Enter a condition that evaluates to
|
|
Packit Service |
99d1c0 |
false. I.e. 'DONOTINSTALL'. (Note that an undefined
|
|
Packit Service |
99d1c0 |
property always evaluates to false).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that you can also use this step to disable other
|
|
Packit Service |
99d1c0 |
configuration files without providing replacements.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2) Add a new component containing the new configuration file.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.1) Select the 'Component' table in the 'Tables' list.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.2) Select 'Tables'->'Add Row' (Ctrl-R).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.3) Enter the following :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Component : cmf_my_krb5_ini
|
|
Packit Service |
99d1c0 |
ComponentId : {835BAAC6-5E54-BFFE-DBCB2F240711}
|
|
Packit Service |
99d1c0 |
Directory_ : WindowsFolder
|
|
Packit Service |
99d1c0 |
Attributes : 144
|
|
Packit Service |
99d1c0 |
Condition :
|
|
Packit Service |
99d1c0 |
KeyPath : fil_my_krb5_ini
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that the ComponentId is an uppercase GUID. You can
|
|
Packit Service |
99d1c0 |
generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of
|
|
Packit Service |
99d1c0 |
which are included in the Platform SDK.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The Attributes value of 144 is a sum of
|
|
Packit Service |
99d1c0 |
msidbComponentAttributesPermanent (16) and
|
|
Packit Service |
99d1c0 |
msidbComponentAttributesNeverOverwrite (128). This
|
|
Packit Service |
99d1c0 |
ensures that local modifications are not overwritten or
|
|
Packit Service |
99d1c0 |
lost during an installation or uninstallation. These are
|
|
Packit Service |
99d1c0 |
the same settings used on the default configuration files.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
'fil_my_krb5_ini' is a key into the 'File' table which we
|
|
Packit Service |
99d1c0 |
will fill later.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3) Add a new feature to hold the new component.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1) Select the 'Feature' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the
|
|
Packit Service |
99d1c0 |
following values:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Feature : fea_my_krb5_ini
|
|
Packit Service |
99d1c0 |
Feature_Parent: feaKfwClient
|
|
Packit Service |
99d1c0 |
Title :
|
|
Packit Service |
99d1c0 |
Description :
|
|
Packit Service |
99d1c0 |
Display : 0
|
|
Packit Service |
99d1c0 |
Level : 30
|
|
Packit Service |
99d1c0 |
Directory_ :
|
|
Packit Service |
99d1c0 |
Attributes : 8
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
It is important to create the new feature under the
|
|
Packit Service |
99d1c0 |
'feaKfwClient' feature, which will ensure that the
|
|
Packit Service |
99d1c0 |
configuration file will be installed when the client
|
|
Packit Service |
99d1c0 |
binaries are installed.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Setting 'Display' to 0 will hide this feature from the
|
|
Packit Service |
99d1c0 |
feature selection dialog during an interactive
|
|
Packit Service |
99d1c0 |
installation. A value of 30 for 'Level' allows this
|
|
Packit Service |
99d1c0 |
feature to be installed by default (on a 'Typical'
|
|
Packit Service |
99d1c0 |
installation).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The 'Attributes' value is
|
|
Packit Service |
99d1c0 |
msidbFeatureAttributesDisallowAdvertise (8), which is set
|
|
Packit Service |
99d1c0 |
on all features in the KfW MSI. The KfW MSI is not
|
|
Packit Service |
99d1c0 |
designed for an advertised installation.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
4) Join the component and the feature.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
4.1) Select the 'FeatureComponents' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
4.2) Add a new row with the following values:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Feature : fea_my_krb5_ini
|
|
Packit Service |
99d1c0 |
Component : cmf_my_krb5_ini
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
5) Add an entry to the 'File' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
5.1) Select the 'File' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
5.2) Add a new row with the following values:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
File : fil_my_krb5_ini
|
|
Packit Service |
99d1c0 |
Component_ : cmf_my_krb5_ini
|
|
Packit Service |
99d1c0 |
FileName : krb5.ini
|
|
Packit Service |
99d1c0 |
FileSize : (enter file size here)
|
|
Packit Service |
99d1c0 |
...
|
|
Packit Service |
99d1c0 |
Attributes : 8192
|
|
Packit Service |
99d1c0 |
Sequence : 1000
|
|
Packit Service |
99d1c0 |
(leave other fields blank)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The 'Attributes' value is msidbFileAttributesNonCompressed
|
|
Packit Service |
99d1c0 |
(8192). This is because we will be placing this file in
|
|
Packit Service |
99d1c0 |
the same directory as the MSI instead of embedding the
|
|
Packit Service |
99d1c0 |
file in it. Transforms do not support updating compressed
|
|
Packit Service |
99d1c0 |
sources or adding new cabinet streams.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Finally, the 'Sequence' value of 1000 will be used later
|
|
Packit Service |
99d1c0 |
to distinguish the file as being in a separate source
|
|
Packit Service |
99d1c0 |
location than the other files in the MSI.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
6) Set a media source for the file.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
6.1) Select the 'Media' table.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
6.2) Add a row with the following values :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
DiskId : 2
|
|
Packit Service |
99d1c0 |
LastSequence : 1000
|
|
Packit Service |
99d1c0 |
...
|
|
Packit Service |
99d1c0 |
(leave other fields blank)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The sequence number of 1000 designates this as the media
|
|
Packit Service |
99d1c0 |
source for the newly added file.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2.3.1 Components for Configuration Files
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
krb5.ini : 'cmf_krb5_ini' (ID {C1AF0670-BBF1-4AA6-B2A6-6C8B1584A1F4})
|
|
Packit Service |
99d1c0 |
krb.con : 'cmf_krb_con' (ID {5391A051-CF14-45FF-BF64-CEE78A7A90C2})
|
|
Packit Service |
99d1c0 |
krbrealm.con: 'cmf_krbrealm_con' (ID {D667B54F-1C98-43FB-87C6-0F0517623B90})
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3. Network Identity Manager Settings
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Configuration options for Network Identity Manager (NetIDMgr) are
|
|
Packit Service |
99d1c0 |
stored in the Windows registry. Each option can exist in the user
|
|
Packit Service |
99d1c0 |
registry hive or the machine registry hive or both. The value
|
|
Packit Service |
99d1c0 |
defined in the user hive always overrides the value defined in the
|
|
Packit Service |
99d1c0 |
machine registry hive.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
All registry keys used by NetIDMgr exist under the key
|
|
Packit Service |
99d1c0 |
'Software\MIT\NetIDMgr' under the user and machine hive.
|
|
Packit Service |
99d1c0 |
Deploying a specific configuration option can be achieved by
|
|
Packit Service |
99d1c0 |
setting the corresponding registry value either by authoring the
|
|
Packit Service |
99d1c0 |
keys into the MSI via a transform or by deploying a registry based
|
|
Packit Service |
99d1c0 |
Group Policy Object. For deployment purposes, it is advisable to
|
|
Packit Service |
99d1c0 |
deploy values to the machine hive instead of the user hive.
|
|
Packit Service |
99d1c0 |
Deploying per user settings via the MSI is not supported at this
|
|
Packit Service |
99d1c0 |
time.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1 Common settings for NetIDMgr
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The following sections describe a partial list of options that can
|
|
Packit Service |
99d1c0 |
be specified for NetIDMgr. Each set of options is described as a
|
|
Packit Service |
99d1c0 |
set of registry values. Each section is preceded by the registry
|
|
Packit Service |
99d1c0 |
key under which the values of that section must be specified.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1.1 General settings
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Registry key : 'Software\MIT\NetIDMgr\CredWindow'
|
|
Packit Service |
99d1c0 |
--------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AllowAutoRenew
|
|
Packit Service |
99d1c0 |
Type : DWORD (Boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Enables automatic credential renewal.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AllowCritical
|
|
Packit Service |
99d1c0 |
Type : DWORD (Boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Enables critical warning notifications.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AllowWarn
|
|
Packit Service |
99d1c0 |
Type : DWORD (Boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Enables warning notifications.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoDetectNet
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', automatically detects network connectivity changes.
|
|
Packit Service |
99d1c0 |
Network connectivity change notifications are then sent out to
|
|
Packit Service |
99d1c0 |
individual plug-ins which can perform actions such as renewing
|
|
Packit Service |
99d1c0 |
credentials or obtaining new credentials.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoImport
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', imports credentials from the Windows LSA cache when
|
|
Packit Service |
99d1c0 |
NetIDMgr starts.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoInit
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If this value is '1', shows the new credentials dialog if
|
|
Packit Service |
99d1c0 |
there are no credentials when NetIDMgr starts.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoStart
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Start NetIDMgr when Windows starts
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoRenewThreshold
|
|
Packit Service |
99d1c0 |
Type : DWORD (seconds)
|
|
Packit Service |
99d1c0 |
Default : 600
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies the time period before credential expiration that will
|
|
Packit Service |
99d1c0 |
trigger a credential renewal. Requires AllowAutoRenew to be enabled.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : CriticalThreshold
|
|
Packit Service |
99d1c0 |
Type : DWORD (seconds)
|
|
Packit Service |
99d1c0 |
Default : 300
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies the time period before credential expiration that will
|
|
Packit Service |
99d1c0 |
trigger the second and final warning balloon. Requires AllowCritical
|
|
Packit Service |
99d1c0 |
to be enabled.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DefaultAllowAutoRenew
|
|
Packit Service |
99d1c0 |
Type : DWORD (Boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies the Default AllowAutoRenew value for new identities.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DefaultSticky
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '0', new identities will not be pinned to the display by default.
|
|
Packit Service |
99d1c0 |
If '1', new identities will be pinned to the display by default.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DefaultWindowMode
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '0', Advanced mode is used
|
|
Packit Service |
99d1c0 |
If '1', Basic mode is used
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DestroyCredsOnExit
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', all credentials will be destroyed when NetIDMgr exits.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : KeepRunning
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', when NetIDMgr application is closed, it will continue
|
|
Packit Service |
99d1c0 |
to run in the Windows System Notification Area (System Tray).
|
|
Packit Service |
99d1c0 |
The application can be exited by choosing the 'Exit' menu
|
|
Packit Service |
99d1c0 |
option. If '0', closing the application will cause it to
|
|
Packit Service |
99d1c0 |
exit completely.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : LogToFile
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', debugging information is logged to %TEMP%\nidmdbg.log
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : NotificationAction
|
|
Packit Service |
99d1c0 |
Type : DWORD (50008 or 50025)
|
|
Packit Service |
99d1c0 |
Default : 50025
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '50025', the default notification icon menu action will be to
|
|
Packit Service |
99d1c0 |
Show the Network Identity Manager application windows.
|
|
Packit Service |
99d1c0 |
If '50008', the default notification icon menu action will be to
|
|
Packit Service |
99d1c0 |
display the Obtain New Credentials dialog.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : RefreshTimeout
|
|
Packit Service |
99d1c0 |
Type : DWORD (seconds)
|
|
Packit Service |
99d1c0 |
Default : 60
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies how often the credential list is refreshed.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : RenewAtHalfLife
|
|
Packit Service |
99d1c0 |
Type : DWORD (Boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Enables the use of a half-life algorithm for credential renewals.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : WarnThreshold
|
|
Packit Service |
99d1c0 |
Type : DWORD (seconds)
|
|
Packit Service |
99d1c0 |
Default : 900
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies the time period before credential expiration that will
|
|
Packit Service |
99d1c0 |
trigger the first warning balloon. Requires AllowWarn to be enabled.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1.2 Common Plug-in settings
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\<plug-in name>'
|
|
Packit Service |
99d1c0 |
--------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The '<plug-in name>' is one of the following for the standard plug-ins :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Krb5Cred : Kerberos 5 credentials provider
|
|
Packit Service |
99d1c0 |
Krb5Ident: Kerberos 5 Identity provider
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Consult the vendors for the plug-in names of other third party
|
|
Packit Service |
99d1c0 |
plug-ins. Additionally, the plug-ins configuration panel in the
|
|
Packit Service |
99d1c0 |
NetIDMgr application provides a list of currently registered
|
|
Packit Service |
99d1c0 |
plug-ins.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : Disabled
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', the plug-in will not be loaded.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : NoUnload
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', the plug-in will not be unloaded from memory when the
|
|
Packit Service |
99d1c0 |
NetIDMgr application exits or if the plug-in is stopped. The
|
|
Packit Service |
99d1c0 |
plug-in binary will remain loaded until NetIDMgr terminates.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1.3 Settings for the Kerberos 5 credentials provider plug-in
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
|
|
Packit Service |
99d1c0 |
--------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : AutoRenewTickets
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', automatically renews expiring tickets. The thresholds
|
|
Packit Service |
99d1c0 |
at which renewals happen are controlled in general NetIDMgr
|
|
Packit Service |
99d1c0 |
settings.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : CreateMissingConfig
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', creates any missing configuration files.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MsLsaImport
|
|
Packit Service |
99d1c0 |
Type : DWORD (0, 1 or 2)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Controls how credentials are imported from the MSLSA cache.
|
|
Packit Service |
99d1c0 |
This setting can be one of the following.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
0 : Never
|
|
Packit Service |
99d1c0 |
1 : Always
|
|
Packit Service |
99d1c0 |
2 : Only if the principal matches
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that this setting only controls how the Kerberos 5
|
|
Packit Service |
99d1c0 |
plug-in handles importing of credentials from the MSLSA cache.
|
|
Packit Service |
99d1c0 |
Whether or not credentials are imported at start-up is
|
|
Packit Service |
99d1c0 |
controlled via general NetIDMgr settings as described in
|
|
Packit Service |
99d1c0 |
section 3.1.1.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MsLsaList
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', includes credentials from the MSLSA cache in the
|
|
Packit Service |
99d1c0 |
credentials listing.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : UseFullRealmList
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If '1', uses the full realms list as determined by parsing the
|
|
Packit Service |
99d1c0 |
krb5.ini configuration file in the new credentials dialog box.
|
|
Packit Service |
99d1c0 |
If this is '0', only the last recently used list of realms
|
|
Packit Service |
99d1c0 |
will be used.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3.1.3.1 Per-identity settings
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\<principal name>\Krb5Cred'
|
|
Packit Service |
99d1c0 |
Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters\Realms\<realm>'
|
|
Packit Service |
99d1c0 |
Registry key 3: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
|
|
Packit Service |
99d1c0 |
--------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
These settings are generally maintained per-identity. However, if
|
|
Packit Service |
99d1c0 |
a particular setting is not specified for an identity or if the
|
|
Packit Service |
99d1c0 |
identity is new, then the values will be looked up in the
|
|
Packit Service |
99d1c0 |
per-realm configuration key and in the global parameters key in
|
|
Packit Service |
99d1c0 |
turn. Global defaults should be set in the global parameters key
|
|
Packit Service |
99d1c0 |
(key 3).
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : Addressless
|
|
Packit Service |
99d1c0 |
Type : DWORD (boolean)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Determines if addressless tickets will be obtained for new identities.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DefaultLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 36000
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Default ticket lifetime, in seconds.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : DefaultRenewLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 604800
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Default renewable lifetime, in seconds.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : FileCCList
|
|
Packit Service |
99d1c0 |
Type : SZ
|
|
Packit Service |
99d1c0 |
Default : <not specified>
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Specifies a comma delimited list of FILE credential caches to monitor
|
|
Packit Service |
99d1c0 |
for credentials.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : Forwardable
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Obtain forwardable tickets.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MaxLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 86400
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Maximum lifetime, in seconds. This value is used to set the
|
|
Packit Service |
99d1c0 |
range of the user interface controls that allow setting the
|
|
Packit Service |
99d1c0 |
lifetime of a ticket.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MaxRenewLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 2592000
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Maximum renewable lifetime, in seconds. The value is used to
|
|
Packit Service |
99d1c0 |
set the range of the user interface controls that allow
|
|
Packit Service |
99d1c0 |
setting the renewable lifetime of a ticket.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MinLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 60
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Minimum lifetime, in seconds. This value is used to set the
|
|
Packit Service |
99d1c0 |
range of the user interface controls that allow setting the
|
|
Packit Service |
99d1c0 |
lifetime of a ticket.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : MinRenewLifetime
|
|
Packit Service |
99d1c0 |
Type : DWORD
|
|
Packit Service |
99d1c0 |
Default : 60
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Minimum renewable lifetime, in seconds. This value is used to
|
|
Packit Service |
99d1c0 |
set the range of the user interface controls that allow
|
|
Packit Service |
99d1c0 |
setting the renewable lifetime of a ticket.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : Proxiable
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 0
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Obtain proxiable tickets.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Value : Renewable
|
|
Packit Service |
99d1c0 |
Type : DWORD (0 or 1)
|
|
Packit Service |
99d1c0 |
Default : 1
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Obtain renewable tickets.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
4. Additional Resources
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If you want to add registry keys or files you need to create new
|
|
Packit Service |
99d1c0 |
components and features for those.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Add new features under the 'feaKfwClient' feature and set the
|
|
Packit Service |
99d1c0 |
'Level' column for those features to equal the 'Level' for their
|
|
Packit Service |
99d1c0 |
parent features for consistency. Note that none of the features
|
|
Packit Service |
99d1c0 |
in the "Kerberos for Windows" MSI package are designed to be
|
|
Packit Service |
99d1c0 |
installed to run from 'source' or 'advertised'. It is recommended
|
|
Packit Service |
99d1c0 |
that you set 'msidbFeatureAttributesFavorLocal' (0),
|
|
Packit Service |
99d1c0 |
'msidbFeatureAttributesFollowParent' (2) and
|
|
Packit Service |
99d1c0 |
'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new
|
|
Packit Service |
99d1c0 |
features.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If you are creating new components, retain the same component GUID
|
|
Packit Service |
99d1c0 |
when creating new transforms against new releases of the Kerberos
|
|
Packit Service |
99d1c0 |
MSI package.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
It is beyond the scope of this document to provide a comprehensive
|
|
Packit Service |
99d1c0 |
overview of how to add new resources through a transform. Please
|
|
Packit Service |
99d1c0 |
refer to the "Windows Installer" documentation for details. The
|
|
Packit Service |
99d1c0 |
relevant section is at :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
A sample walkthrough of adding a new configuration file is in
|
|
Packit Service |
99d1c0 |
section 2.3.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
5. Upgrades
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
The MSI package is designed to uninstall previous versions of
|
|
Packit Service |
99d1c0 |
"Kerberos for Windows" during installation. Note that it doesn't
|
|
Packit Service |
99d1c0 |
directly upgrade an existing installation. This is intentional
|
|
Packit Service |
99d1c0 |
and ensures that development releases which do not have strictly
|
|
Packit Service |
99d1c0 |
increasing version numbers are properly upgraded.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Versions of Kerberos that are upgraded by the MSI package are :
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
1) "Kerberos for Windows" 32-bit i386 MSI package
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Upgrade code {61211594-AAA1-4A98-A299-757326763CC7}
|
|
Packit Service |
99d1c0 |
Upto current release
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2) "Kerberos for Windows" 64-bit amd64 MSI package
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Upgrade code {6DA9CD86-6028-4852-8C94-452CAC229244}
|
|
Packit Service |
99d1c0 |
Upto current release
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
2) "MIT Project Pismere Kerberos for Windows" MSI package and
|
|
Packit Service |
99d1c0 |
"MIT SWRT Kerberos for Windows" MSI
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Upgrade code {83977767-388D-4DF8-BB08-3BF2401635BD}
|
|
Packit Service |
99d1c0 |
All versions
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
3) "Kerberos for Windows" NSIS package
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
All versions
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that versions of the "Kerberos for Windows" NSIS package had
|
|
Packit Service |
99d1c0 |
a bug where it couldn't be uninstalled properly in unattended
|
|
Packit Service |
99d1c0 |
mode. Therefore the MSI package will not try to uninstall an
|
|
Packit Service |
99d1c0 |
"Kerberos for Windows" NSIS package if running unattended. This
|
|
Packit Service |
99d1c0 |
means that group policy based deployments will fail on machines
|
|
Packit Service |
99d1c0 |
that have the "Kerberos for Windows" NSIS package installed.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Note that the NSIS package is only available for 32-bit i386.
|
|
Packit Service |
99d1c0 |
You cannot install both the 32-bit NSIS and 64-bit amd64 MSI
|
|
Packit Service |
99d1c0 |
packages on the same machine. To install both 32-bit and 64-bit
|
|
Packit Service |
99d1c0 |
KFW, you must use the MSI packages of both.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If you have used a different MSI package to install Kerberos for
|
|
Packit Service |
99d1c0 |
Windows and wish to upgrade it you can author rows into the
|
|
Packit Service |
99d1c0 |
'Upgrade' table to have the "Kerberos for Windows" MSI replace these
|
|
Packit Service |
99d1c0 |
installations for you.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
6. FAQ
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
(Q/A's will be added here as needed)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
----------------------------------------------------------------------
|
|
Packit Service |
99d1c0 |
$Id$
|
|
Packit Service |
99d1c0 |
|