Kerberos for Windows 3.0

Release Notes

5 December 2005

Table of Contents

• Overview
• What's New in KfW 3.0
• System Requirements
• Installation and Configuration
• Binaries
• Locating Kerberos Configuration Files
• Kerberos 5
• Kerberos 4
• Modifying Kerberos Configuration Files
• Kerberos 5
• Kerberos 4
• Using DNS Lookups for Kerberos Configuration
• Services File
• Ticket Cache
• Date and Time Issues
• Command Line Options
• netidmgr.exe
• kinit.exe
• klist.exe
• kdestroy.exe
• Building from Sources
• Notes on the NSIS Installer Scripts
• Leashw32 API
• Registry and Environment Settings
• Integration with Microsoft Kerberos LSA
• GSS Sample Client
• Known Issues
• Release History
• To Do
• Developer Notes
• Some older notes from prior releases...

Overview

MIT Kerberos for Windows (KfW) is an integrated Kerberos release for Microsoft Windows operating systems. It includes the Kerberos v4 library, Kerberos v5 library version 1.4.3, Kerberos v5 GSS API library, Kerberos 524 library, KClient API library, Leash API library, Network Identity Manager, kinit/klist/kdestroy/krb524init/ms2mit/aklog command-line credentials managers, and an in-memory credentials cache.

Terminology

Kerberos v4 (also Kerberos 4 or Kerberos version 4) and Kerberos v5 (also Kerberos 5 or Kerberos version 5) refer to versions 4 and 5 of the Kerberos protocol. A protocol is a specification for how data is transmitted on a network.

Kerberos credentials and Kerberos tickets are the same thing.

What's New in Kerberos for Windows 3.0

3.0.0

• Kerberos 5 library updated to release 1.4.3.  The most important change in this release is that the Kerberos 5 libraries are safe for use in multi-threaded applications.   See the Kerberos 5 README file for details of additional changes in the Kerberos 5 version 1.4.3 distribution.
• Kerberos 4 support is beginning to be phased out.  The default for new installations is to not obtain Kerberos 4 tickets in the Network Identity Manager or kinit.exe.
• The Leash credential manager has been replaced by a new modular framework for identity manager called the Network Identity Manager.
• It ships with a Kerberos 5 identity manager that manages multiple Kerberos 5 Identities and allows the user to select which one should be used as the default.
• It ships with Kerberos 5 and Kerberos 4 plug-ins that allow users to obtain Kerberos 5 and Kerberos 4 credentials
• An AFS plug-in is available separately from Secure Endpoints Inc. which will be incorporated into a future version of OpenAFS for Windows
• Organizations that wish to develop their own plug-ins are encouraged to contact kfw-bugs@mit.edu
• A new KFW Network Provider is installed to obtain tickets at login time for the default realm and store them into the user credential cache.
• Microsoft Windows 95, 98, ME, and NT 4.0 are no longer supported
• The aklog utility is no longer distributed.   It ships as part of OpenAFS for Windows 1.4.0.

What's New is Kerberos for Windows 2.6

2.6.5

• Correct incompatibility between Kerberos 5 MSLSA krb5_ccache and Windows 2000 (introduced in 2.6.4)

• Kerberos 5 library updated to release 1.3.5.  Corrects two security holes which could allow a rouge KDC to execute arbitrary code on the client.  See the Kerberos 5 README file for details of the changes in the Kerberos 5 version 1.3.5 distribution.

• Add a new MSI based installation option for organizations which need to distribute KFW via group policy.  The source for the installer is part of the KFW SDK.  The MSI may be customized via the use of MSI transforms. See the file install\wix\msi-deployment-guide.txt for details.

2.6.4

• Solve problem in MSLSA: ccache which would result in premature process termination on non-English versions of Windows if Kerberos credentials were not available from LSA credential manager.

• Apply automatic import restrictions from the MSLSA credentials cache to the GSSAPI acquire credentials code when necessary.

• Kerberos 5 library updated to release 1.3.4.  See the Kerberos 5 README file for details of the changes in the Kerberos 5 version 1.3.4 distribution.

• Add support for the location of the AllowTGTSessionKey registry value in Windows XP SP2 to the installer

• Add support for Terminal Server compatibility flags to the installer

2.6.3

• Prevent Leash from flooding the KDC with TGS_REQ messages when the Windows Logon Session is authenticated using Kerberos.

2.6.2

• The behavior of the Leash automatic importing of credentials from the MSLSA credentials cache is now configurable.  Options include never, always, and only if the MSLSA principal belongs to the default realm as specified in krb5.ini.

• Keberos Ticket Initialization options modified within the Ticket Initialization dialog may now optionally be preserved. 

• A memory access error introduced in 2.6.1 has been eliminated.  This problem was traced to errors in implementation of the MFC CSingleLock class.

2.6.1

• Kerberos 5 library updated to release 1.3.3.  See the Kerberos 5 README file for details of the changes in the Kerberos 5 version 1.3.3 distribution.

• Fixes a compatibility issue with Windows 98 and ME discovered after the 2.6 release.

• Leash and aklog obtain AFS tokens via Kerberos 5 without requiring the use of a krb524 daemon.

• The Kerberos 5 command line utilities kvno.exe and kpasswd.exe are now included in the distribution.

• The Leash Change Password function once again works when passwords are expired.

2.6.0

• Leash has been turned into a System Tray application

• Leash implements IP address change detection which is used in conjunction with KDC Probing to determine when dialogs for obtaining tickets should be displayed to the end user

• Leash API functions no longer display dialogs to the end user on failure

• Kerberos 5 Credential Cache Name changes are now functional

• aklog support for Kerberos 5 credentials has been added and is now the default.  Use the -4 switch if you wish to use aklog with Kerberos 4 credentials.

• krb5_cc api support for accessing the Microsoft Kerberos LSA cache in read-only mode.  Use a ccache name of "MSLSA:".

• KClient and GSSAPI libraries will now automatically display the Leash Obtain Ticket Getting Tickets dialog box when a request for service tickets is made and no TGTs exist.  This can be disabled by defining the environment variable KERBEROSLOGIN_NEVER_PROMPT.

• The Leash online help functionality has been updated.  The HtmlHelp engine is now used instead of WinHelp.  All content has been updated.

• A new installer based on the open source NullSoft Installation System is provided.  Source is provided as part of the SDK to allow for customization.

• A new GSS Sample Application client has been added to the distribution which is compatible with the Unix gss-server sample service.

• Improvements to the Winsock Helper Library (WSHELP32.DLL) to avoid several problems related to initializing the list of DNS servers.  Whenever possible the operating system versions of resolver functions are used instead of the internal versions.

What's New in Kerberos for Windows 2.5

2.5.1

• The order of Kerberos 5 and Kerberos 4 tickets in the Leash credential tree are reversed

• Status Bar string formatting corrected for AFS Token lifetimes

• Automatic Ticket Renewals performed on AFS Token expiration

• Error dialogs are suppressed for when using Leash API calls for check password, kinit, and change password

• AFS Tokens are obtained via a krb524 of a Kerberos 5 AFS ticket in preference to obtaining a Kerberos 4 AFS Ticket

2.5.0 (includes all changes since 2.1)

• Kerberos v5 support is from MIT Kerberos v5 Release 1.3.1. In addition to bug fixes, this release of Kerberos 5 includes several important changes:
• The public API has been more clearly defined. The krb5.h header file now marks non-public functions with KRB5_PRIVATE and deprecated functions with KRB5_DEPRECATED. You should not define these in your builds.
• The krb5_32.dll exports have been cleaned up (most private functions are no longer exported) to try to reflect that API. However, the Kerberos 5 DLL still exports some private functions that are currently used by the GSSAPI implementation. Make sure you do not use these (check krb5.h or krb5_32.def).
• The Kerberos 5 ccache and keytab accessors are now functions instead of macros.
• The Kerberos 524 ticket conversion functions are now integrated into the Kerberos 5 library.  A krb524.dll is provided for backward compatibility with the krb524.dll distributed by http://www.rose-hulman.edu/TSC/software/wake/documentation/compiling/krb524/
• The library default is now to retrieve addressless tickets.  This can be a problem for DCE based systems.  To restore the previous behavior and enable Leash configurable control, add "noaddresses = false" to the "[libdefaults]" section of the KRB5.INI file.
• GSS Kerberos OID constants are exported by GSSAPI32.DLL
• Leash Credential Manager improvements:
• Leash behaves nicely with missing or incomplete configuration files
• Autogeneration of missing configuration files based upon DNS records or Microsoft Windows Domain configuration.  Configurable by registry setting or Leash Properties dialog.
• Importation of Microsoft Windows Domain credentials into the MIT Credentials Cache supported via Actions->Import Tickets (^I)
• Ability to manage DNS KDC Lookup setting from Kerberos Properties Dialog
• Renew Kerberos credentials without password.  Actions->Renew Tickets (^R)
• KRB524 support

• used to retrieve Kerberos 4 credentials in preference to Kerberos 4 kinit
• used to retrieve Kerberos 4 credentials during ticket renewal
• used to retrieve Kerberos 4 credentials during Windows credential importation

• New Ticket Initialization and Change Password dialogs
• Addressless Kerberos 5 tickets configuration (when KRB5.INI contains [libdefaults] noaddresses = false)
• Renewable Kerberos 5 tickets configuration
• Automatic Ticket Renewal re-news/re-imports Kerberos 5 tickets and obtains new Kerberos 4 tickets via KRB524 when either Kerberos 4 or Kerberos 5 credentials are about to expire. Options->Automatic Ticket Renewal
• On startup, if the credential cache is empty and the Windows logon session is Kerberos authenticated, the Windows Kerberos credentials are imported
• New command line options:

• -ms2mit, -import, -m imports credentials from the Windows Logon Session (and exit)
• -renew, -r renews credentials (and exit)
• -destroy, -d destroys credentials  (and exit)
• -autoinit, -a performs ticket initialization only if the credential cache is empty

• Expired Tickets can now be destroyed
• Prompter dialogs added to support hardware pre-authentication mechanisms
• Kerberos 4 ticket retrieval can now be disabled without deleting the KRBV4W32.DLL via the Leash Properties dialog
• Kerberos 4 and Kerberos 5 configuration file locations may now be locked
• Leash now obeys instructions for Minimize, Maximize and Normal window creation
• New Icons and Toolbar images
• Ticket Encryption Types and Addresses are displayed for Kerberos 5 tickets
• Andrew File System token retrieval (if either OpenAFS or IBM AFS® Version 3.6 are installed.)

• Leashw32 API expanded to provide access to the new Ticket Initialization and Change Passwords dialogs; and get/set/reset functions to alter Leash and Kerberos behavior
• New Leash End User documentation provided in PDF format

System Requirements

Operating System

Kerberos for Windows 3.0 requires 32-bit versions of Windows 2000, XP, 2003 or higher.

Microsoft Redistributable DLLs

The following versions or newer of several freely redistributable Microsoft DLLs are required depending on the compiler release used to build the distribution.  The MIT distribution is built using the Microsoft Visual Studio .NET 2003 C/C++ compiler:

The KfW Installer will install the DLLs marked by an asterisk.

To see what Microsoft products ship with which version of these DLLs, you can use the DLL Help Database.

If you are not using the installer and you are missing some of these DLLs, you can download the Microsoft Redistributable Components component from the MIT Kerberos download site and manually install each missing DLL.

Note: psapi.dll is also available by itself from the Microsoft Download Center.

Installation and Configuration

Binaries

Core Binaries

Network Identity Manager Binaries

Network Identity Manager main executable.

Provides information to Windows about which versions of libraries should be associated with netidmgr.exe.

Kerberos 4 credentials provider plugin.

English (US) language resources for the Keberos 4 credentials provider.

Kerberos 5 credentials provider and identity provider plugin.

English (US) language resources for the Kerberos 5 credentials provider.

It is recommended that all binaries be installed into a single directory in the user's PATH. Make sure that you do not have other Kerberos binaries in your PATH.

Locating Kerberos Configuration Files

The simplest configuration is to put the krb5.ini, krb.con, and krbrealm.con configuration files in the Windows directory (or in the same directory as the Kerberos DLLs).  The NSIS installer looks for configuration files only in the Windows directory.

Kerberos 5

Kerberos 5 needs a single configuration file: krb5.ini. You can put it in the Windows directory;  or you can put it in the same directory as the DLL; or you can point to an arbitrary file by setting the KRB5_CONFIG environment variable.

Kerberos 4

Kerberos 4 needs two configuration files, typically called krb.con and krbrealm.con. You can put these files in the same directory as the DLL and everything should work. You can also set KRB4_KRB.REALMS or KRB4_KRB.CONF to override each file. Or you can set KRB4_C