Kerberos for Windows Release 4.1

• Announcement
• HTML Help
• Retrieving

Kerberos for Windows release 4.1 is now available

The MIT Kerberos Team is happy to announce the availability of the kfw-4.1 release. The KfW 4.1 series of releases is based on the MIT krb5 1.13 series of releases, modernizing the support relative to the KfW 4.0 series, which was based on the MIT krb5 1.10 series.

KfW 4.1 is distributed as a Windows Installer MSI file, with both 64-bit and 32-bit installers available. The MSI installer has been digitally signed by MIT.

KfW has been tested on Windows 7 and Windows 10, and is believed to work on current Windows Server releases.

DES transition

The Data Encryption Standard (DES) is widely recognized as weak. Just as the Unix krb5 releases have had measures to encourage sites to migrate away from single-DES cryptosystems since the krb5 1.7 release, KfW 4.1 has a configuration variable that enables "weak" enctypes, defaulting to "false".

Major changes in 4.1

Developer experience:

• KfW now uses the UI compiler uicc.exe, to support the transition from the MFC ribbon to a native Windows ribbon. The uicc.exe found in Visual Studio 2010 is insufficient; Service Pack 1 is required.

Administrator experience:

• The default realm for KfW can be set in the registry; this setting takes precedence over the default realm set in krb5.ini.

End-user experience:

• ms2mit.exe behavior has changed to improve the MSLSA: cache experience for UAC-restricted login sessions on an AD domain that runs ms2mit.exe in login scripts:
  • If the TGT is accessible in the LSA ccache, copy the LSA ccache to the API ccache.
  • Set the registry key for the default ccname to "API:" if the copy occurred, or to "MSLSA:" if it didn't occur.
• The support for the MSLSA: cache type has been greatly improved, making better use of the native LSA operations. This should improve the user experience at elevated UAC levels.
• The Ribbon interface has been switched from the MFC to the native implementation, improving accessibility for screen-reading software.
• Registry entries are set for the KdcNames of certain Kerberos realms; such entries are needed for the LSA to retrieve tickets from non-AD realms.
• A message is displayed on successful password change.
• A new display column is available (disabled by default), that shows the name of the credential cache containing the ticket in question.
• Updates from the 1.11, 1.12, and 1.13 krb5 release notes are also applicable here.

HTML Help for kfw-4.1

The builtin HTML Help from KfW 4.1 is also available online.

• HTML Help

Retrieving Kerberos for Windows 4.1

Installers for Kerberos for Windows Release 4.1 are available here.