MIT Kerberos for Windows (KfW) is an integrated Kerberos release for Microsoft Windows operating systems. It includes the Kerberos v4 library, Kerberos v5 library version 1.4.4, Kerberos v5 GSS API library, Kerberos 524 library, KClient API library, Leash API library, Network Identity Manager, kinit/klist/kdestroy/krb524init/ms2mit/aklog command-line credentials managers, and an in-memory credentials cache.
Kerberos v4 (also Kerberos 4 or Kerberos version 4) and Kerberos v5 (also Kerberos 5 or Kerberos version 5) refer to versions 4 and 5 of the Kerberos protocol. A protocol is a specification for how data is transmitted on a network.
Kerberos credentials and Kerberos tickets are the same thing.
1. A serious memory leak has been fixed
2. Principal names containing numbers are no longer considered invalid
3. Locales other than en_US are now supported
4. Arbitrary sort ordering of credentials
5. Support for FILE: ccaches
6. Credential properties may be selected by the user for display
7. User selected font support
8. Tool Tip support added to the Toolbar
9. Identities can be added without obtaining credentials
10. Kerberos 5 Realm editor has been added
Kerberos for Windows 3.1 is designed for 32-bit versions of Windows 2000, XP, 2003, 2003 R2 or higher and WOW64 environments.
The following versions or newer of several freely redistributable Microsoft DLLs are required depending on the compiler release used to build the distribution. The MIT distribution is built using the Microsoft Visual Studio .NET 2003 C/C++ compiler:
|
|
Filename |
|
Version |
|
Description |
|
* |
mfc71.dll |
|
7.10.3077.0 |
|
MSVS.NET 2003 MFCDLL Shared Library - Retail Version |
|
* |
msvcr71.dll |
|
7.10.3052.4 |
|
MSVS.NET 2003 Microsoft (R) C Runtime Library |
|
* |
msvcp71.dll |
|
7.10.3077.0 |
|
MSVS.NET 2003 Microsoft (R) C Runtime Library |
|
|
mfc70.dll |
|
7.00.9466.0 |
|
MSVS.NET MFCDLL Shared Library - Retail Version |
|
|
msvcr70.dll |
|
7.00.9466.0 |
|
MSVS.NET Microsoft (R) C Runtime Library |
|
|
msvcp70.dll |
|
7.00.9466.0 |
|
MSVS.NET Microsoft (R) C Runtime Library |
|
* |
psapi.dll |
|
4.0.1198.1 |
|
Process Status Helper [not used in Windows 95/98/98SE/ME] |
The KfW Installer will install the DLLs marked by an asterisk.
To see what Microsoft products ship with which version of these DLLs, you can use the DLL Help Database.
If you are not using the installer and you are missing some of these DLLs, you can download the Microsoft Redistributable Components component from the MIT Kerberos download site and manually install each missing DLL.
Note: psapi.dll is also
available by itself from the Microsoft
Download Center.
|
|
Filename |
|
Description |
|
|
krbv4w32.dll |
|
Kerberos 4 library |
|
|
krbcc32.dll |
|
Kerberos credentials cache library -- required by Kerberos 4; used by Kerberos 5 for in-memory credentials cache |
|
|
krbcc32s.exe |
|
Kerberos credentials cache -- required by krbcc32.dll |
|
|
kclnt32.dll |
|
KClient library -- required by some Kerberos 4 applications (deprecated) |
|
|
krb5_32.dll |
|
Kerberos 5 library |
|
|
krb524.dll |
|
Kerberos 524 compatibility library |
|
|
leashw32.dll |
|
Exports Ticket Init and Change Password dialogs as well as registry get/set/reset functions for managing Leash configurations. (Used by third party applications.) |
|
|
xpprof32.dll |
|
Kerberos 5 Profile Management library (required by leashw32.dll) |
|
|
comerr32.dll |
|
Kerberos 5 Common Error Library (required by Kerberos 5 and Leash32.exe) |
|
|
gssapi32.dll |
|
GSS API for Kerberos 5 |
|
|
wshelp32.dll |
|
Winsock helper used by various things |
|
|
kinit.exe |
|
command-line app to get Kerberos credentials |
|
|
klist.exe |
|
command-line app to list Kerberos credentials |
|
|
kdestroy.exe |
|
command-line app to destroy Kerberos credentials |
|
|
k524init.exe |
|
command-line app to get Kerberos 4 credentials using Kerberos 5 credentials instead of a password |
|
|
ms2mit.exe |
|
command-line app to transfer Microsoft Kerberos v5 domain credentials into the MIT Kerberos v5 credentials cache. |
|
netidmgr.exe |
Network Identity Manager main executable. |
|
krb4cred.dll |
Provides information to Windows about which versions of libraries should be associated with netidmgr.exe. |
|
krb4cred_en_us.dll |
Kerberos 4 credentials provider plugin. |
|
krb5cred.dll |
English (US) language resources for the Keberos 4 credentials provider. |
|
krb5cred_en_us.dll |
Kerberos 5 credentials provider and identity provider plugin. |
|
nidmgr32.dll |
English (US) language resources for the Kerberos 5 credentials provider. |
It is recommended that all binaries be installed into a single directory in
the user's PATH. Make sure that you do not have other Kerberos binaries in your
PATH. The default location is
“%ProgramFiles%\MIT\Kerberos\bin”.
The simplest configuration is to put the krb5.ini,
krb.con, and krbrealm.con configuration files in the
Windows directory (or in the same directory as the Kerberos DLLs). The
NSIS and WIX installers search for configuration files only in the Windows directory.
Kerberos 5 needs a single configuration file: krb5.ini. You can put it in the Windows directory;
or you can put it in the same directory as the DLL; or you can point to an
arbitrary file by setting the KRB5_CONFIG
environment variable.
Kerberos 4 needs two configuration files, typically called krb.con and krbrealm.con. You can put these files in
the same directory as the DLL and everything should work. You can also set
KRB4_KRB.REALMS or KRB4_KRB.CONF to override each file. Or you can set
KRB4_CONFIG to force Kerberos 4 to look for both files in a particular
directory. If you do none of these, this is where Kerberos 4 will search:
(*) Note: If you put the files in the DLL's directory,
this part of the search is what will take you there. If you have another config
file earlier in the search, that will take precedence, so be careful.
IMPORTANT: The Network Identity Manager can be used to manage the Kerberos
5 and Kerberos 4 configuration files. NetIDMgr enforces a requirement that the
Realm, KDC, and Realm/DNS mapping information is equivalent for both Kerberos 4
and Kerberos 5. If this is not true for your Realms, you should not use
NetIDMgr to manage the configuration files. Instead use a text editor
such as Notepad.
See the krb5.conf (MIT website)section in the Kerberos v5 System Administrator's Guide (MIT website).
It is anticipated that most sites using Kerberos version 4 on Windows also
will have an existing UNIX Kerberos infrastructure. For that reason, the format
of the krb.con is identical
to the UNIX krb.conf and the
format of krbrealm.con
identical to the UNIX krb.realms.
For many users, the easiest way to configure these files for use at their local
sites will be to ftp the corresponding files from a local UNIX machine that is
already properly configured.
The krb.con file contains
configuration information describing the Kerberos realm and the Kerberos key
distribution center (KDC) servers for known realms.
krb.con contains the name
of the local realm in the first line, followed by lines indicating realm/host
entries. The first token is a realm name, and the second is a hostname of a
host running a KDC for that realm. The words "admin server" following
the hostname indicate that the host also provides an administrative database
server which is contacted when changing a user's password. For example:
ATHENA.MIT.EDU
ATHENA.MIT.EDU kerberos.mit.edu admin server
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu admin server
If
this were your krb.con file
and you wanted to change the default local realm to CIT.CORNELL.EDU you would edit it to
look like:
CIT.CORNELL.EDU
CIT.CORNELL.EDU kerberos.cit.cornell.edu admin server
ATHENA.MIT.EDU kerberos.mit.edu admin server
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu admin server
The
krbrealm.con file is the
host-to-Kerberos realm translation file. This provides a translation from a
local hostname to the Kerberos realm name for the services provided by that
host.
Each
line of the translation file is in one the following forms (domain_name should
be of the form .XXX.YYY,
e.g., .LCS.MIT.EDU):
host_name kerberos_realm domain_name kerberos_realm
If a hostname exactly matches the host_name field in a line of the first form, the corresponding realm is the realm of the host. If a hostname does not match any host_name in the file, but its domain exactly matches the domain_name field in a line of the second form, the corresponding realm is the realm of the host.
If no translation entry applies, the host's realm is considered to be the hostname's domain portion converted to uppercase.
DNS lookups provide Kerberos the ability to determine the Kerberos Realm that a host belongs to and to find the servers associated with a given Realm by using the Domain Name Service instead of or in addition to local configuration files.
DNS lookups are used in either of these two circumstances:
krb.con file is found for Kerberos
4 or no krb5.ini file
is found for Kerberos 5. krb.con file or krb5.ini file contains a command to
activate DNS Lookups and the lookup cannot be answered by data found in
the appropriate configuration file. To
activate DNS lookups for Kerberos 4 when the krb.con
file is present, add the following line to the file as a realm-to-host entry
(usually to the end):
.KERBEROS.OPTION. dns
When
DNS lookups are used, the first line in the krb.con
file (which would contain the default realm) may be left blank to indicate that
the default realm should be determined by a DNS lookup.
To
activate DNS lookups for Kerberos 5 when the krb5.ini
file is present, place:
dns_lookup_kdc = truedns_lookup_realm = true
into
the [libdefaults] section.
If a "default_realm" entry is not provided, a DNS lookup will be
performed to determine the default realm.
Host to realm lookups are performed using DNS TXT records. Example records are:
_kerberos.yclept.kermit.columbia.edu. IN TXT "KRB5.COLUMBIA.EDU"_kerberos.columbia.edu. IN TXT "CC.COLUMBIA.EDU"
Realm to server lookups are performed using DNS SRV records. Example records are:
_kerberos._udp.KRB5.COLUMBIA.EDU. IN SRV 0 0 88 yclept.kermit.columbia.edu_kerberos._tcp.KRB5.COLUMBIA.EDU. IN SRV 0 0 0 ._krb524._udp.KRB5.COLUMBIA.EDU. IN SRV 0 0 4444 yclept.kermit.columbia.edu_kerberos-iv._udp.KRB5.COLUMBIA.EDU. IN SRV 0 0 750 yclept.kermit.columbia.edu_kerberos-adm._tcp.KRB5.COLUMBIA.EDU IN SRV 0 0 749 yclept.kermit.columbia.edu_kpasswd.