The Programmer's Guide to MIT Kerberos V4 for DOS, Windows, and OS/2, and soon to be NT.

by Chris Shabsin <> and

last modified: 11 April, 1995

Table of Contents


MIT Kerberos V4 for DOS, Windows, and OS/2 is significantly different from the Kerberos V4 distribution for Unix-based systems. Many changes have been made for the new platform's different capabilities/restrictions, and this document is meant as an aid for developers using this library and the sources.

Obtaining more information

You can send questions to for questions specific to the MIT implementations for DOS, Windows, OS/2 and NT. To subscribe to the mailing list send mail to . An archive of the mailing list is maintained with discuss. The 2nd transaction of the meeting shows where we were in April of '94.

For more general information on Kerberos you can obtain some papers from ACS's virtual documentation rack. The Leash help file for MS Windows also provide similar information.

There is also a news group about Kerberos. It's FAQ contains the answers to a lot of questions. There is also an of the archive MIT Kerberos mailing this that dates back to 1987.

Finally, you may be interested in general security issues not specific to Kerberos.

ITAR Restrictions


We used the Microsoft Visual C++ 1.0 compiler to compile Kerberos under DOS and Windows, but it will also work with MSC 7.0 (with the known bugfix patches installed) and MSVC++ 1.5. Under OS/2 we used IBM's C/Set++ FirstStep compiler. In this section, \KRB will be used to refer to the top directory of the kerberos tree, as unzipped from the KRBV4MIT.ZIP archive file.

We do not currently have a version that is native to Windows NT but we expect to start work on this shortly.

Not all of the code required to build the distribution is contained in the KRBV4MIT.ZIP file. The Kerberos distribution uses some code that is common to a number of other projects from MIT's DOSDEV team. The other source from DOSDEV is available on

Building DES

The first step in building the Kerberos libraries is building DES. If you already have working DES libraries or are attempting to build Kerberos without encryption, you may skip this section.

To build DES for any of the supported operating systems, the steps to follow are pretty much the same. At the DOS or OS/2 prompt, change directory to \KRB\LIB\DES and type


where os depends on the operating system you are building for.

Values for os

Use this makefile to generate DES.LIB, the large memory model version of DES for static linking with DOS programs. To build the DES libraries for other memory models, use the command

In this example, the library is built in the small memory model. Also available is the DEBUG=1command line option, to build the library with debug information included.

Use this makefile to generate WDES.LIB, the large model statically linked version of DES with Windows support code. This library is typically only statically linked into the KRBV4WIN.DLL library and called through that. The MODEL and DEBUG command line options from the DOS makefile are available also in this makefile.

OS2 Use this makefile to generate DESOS2.LIB , the statically linked OS/2 version of the DES library. This library is typically only statically linked into the KRBV4OS2.DLL library and called through that. The DEBUG command line option from the DOS and Windows makefiles is also supported in this makefile.

There are also pseudotargets defined in the makefiles to perform certain actions. If you attempt to make the target "clean" it should clean the directory of object files and other files created by the process of building the DES libraries.

Building Kerberos


To install the end user files there several things that you must do. The first is to install the KRB.CONand KRBREALM.CON files in your C:\NET\KERBdirectory. If you don't like this setup take a look at the

Site Customizations section of this document.

The next step is to decide what method you wish to use to store your Kerberos tickets. There are two methods available to you if you are using DOS and Windows. If you are using OS/2 or Windows/NT then you only have one choice.

If you are using DOS and Windows then we recommend that you run the program KERBMEM.EXE before using any Kerberized applications. Usually this should be run in your autoexec.bat file. The use of kerbmem is especially recommended if your computer is not physically secure from other users. On the MIT campus users should always assume that their computer is not physically secure.

Kerbmem is a small TSR program which reserves 1K of memory for ticket storage by default. By using Kerbmem your tickets will never be stored on the local disk. If you reboot your machine without destroying your tickets no other user will be able to recover your tickets no matter what disk recovery tools they may have access to.

Kerbmem has a few command line arguments.

If you do not use Kerbmem then Kerberized applications will store the Kerberos tickets in a normal file. This is the same as most UNIX implementations but is less secure since DOS and Windows do not require a user to log into the computer to gain access to the local file system.

By default the tickets will be stored in ?:\temp\?unless an environment variable, KRBTKTFILE, is set. Users may set the environment variable for multiple simultaneous ticket storage. This is the same behaivior as most UNIX implementations.

Site Customizations

Our normal installation assumes a default directory structure on the C: drive. We assume that the directory \net\kerb exists. This can be overriden by setting an environment variable, NDIR.

Let's assume that you want your Kerberos configuration information installed on drive D and you have a directory on D named \etc. Then you would put the following line in your autoexec.bat file or some other file that intiallizes the network on your PC.


This assumes that you have a directory named kerb under the \etc directory. In this directory you should place the KRB.CON and KRBREALM.CONfiles. These files should be copies of the \etc\krb.conf and \etc\krbrealm.conf files that are installed on your local UNIX workstations. Your local system adminstrator should be able to help you with this.


Other APIs available for Kerberos

Kerberized Applications

Obtaining Source and Binaries

What about Kerberos version 5 and DCE security?

Chris Shabsin <>