[OpenAFS] Kerberos for Windows

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 22 Nov 2010 15:25:39 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/22/2010 2:40 PM, Rick Cochran wrote:
> I have just heard that KfW is not being actively maintained.  Is this t=
> If so, what implications does it have for OpenAFS?
> -Rick

It is true that MIT has not maintained Kerberos for Windows.  There is
an alpha of 3.2.3 from a year and a half ago but there has been no
active work on support for Windows 7 and Server 2008 and none of the
current source trees build on Windows (1.8, 1.9, ...)

Secure Endpoints has been supporting KFW for the last three years for
our support customers.  Private builds containing security fixes and
Windows 7 compatibility have been delivered to those sites.  Since we
cannot count on MIT, Secure Endpoints began a project nearly two years
ago to port Heimdal to Windows.  This work was announced at the AFS and
Kerberos Conference in Pilsen, CZ in September.

See my presentations at


and Love H=C3=B6rnquist Astrand's presentation


In the coming weeks Secure Endpoints will be announcing that Heimdal on
Windows is available for download.  There will be several components:

 1. A Heimdal side-by-side assembly that provides the core GSS-API
    and Heimdal Kerberos v5 functionality.

 2. A set of command line tools that incorporate the command line
    functionality of both MIT Kerberos and Heimdal.

 3. A set of plug-ins to Heimdal that support the MSLSA and MIT API
    credential caches.

 4. A compatibility SDK that applications can be built against which
    permit those applications to work with either Heimdal or KFW 3.2.2
    or KFW 2.6.5 depending on what is installed on the machine.  The
    Heimdal side-by-side assembly will be preferred.

 5. A set of KFW compatible shim libraries that permit applications
    compiled against KFW to work with the Heimdal assembly.

In addition Secure Endpoints will announce an update to Network Identity
Manager and the KCA provider that makes use of the compatibility SDK.

A patch for OpenAFS that makes use of the compatibility SDK is available
in gerrit.openafs.org


Although Secure Endpoints will make downloads of these packages
available for free, Secure Endpoints will also make available a pay to
use update service.  This update service will permit individuals and
organizations to ensure that all of their machines have the best version
of Heimdal, Network Identity Manager, and OpenAFS installed on their

What are the implications for OpenAFS?

Over the course of the next year OpenAFS will be making progress on the
version 2.0 release which contains the rxgk security class.  This
security class will bring to OpenAFS GSS-API authentication and AES
encryption.  In order to make use of this functionality a GSS-API
implementation on Windows that supports the GSS PRF will be required.
The Heimdal distribution will satisfy that requirement.  Therefore,
sites that wish to deploy stronger authentication and encryption should
begin to make migration plans to convert their users from MIT Kerberos
to Heimdal in the coming year.

For sites that wish to continue using MIT Kerberos, OpenAFS will
continue to work with it.  Of course, Heimdal and MIT Kerberos can be
deployed side-by-side during the transition.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)