6 ----------------------------------------------------------------------
12 1.2 Authoring a Transform
13 2. Configuration Options
14 2.1 Configurable Properties
15 2.1.1 Setting Properties
16 2.1.2 Leash GUI Properties
17 2.1.3 Leash DLL Properties
18 2.1.4 Kerberos IV Properties
19 2.1.5 Kerberos V Properties
20 2.2 Existing Registry Entries
21 2.3 Replacing Configuration Files
22 3. Network Identity Manager Settings
23 3.1 Common Settings for NetIDMgr
24 3.1.1 General Settings
25 3.1.2 Common Plug-in Settings
26 3.1.3 Settings for the Kerberos 5 Credentials Provider Plug-in
27 3.1.4 Settings for the kerberos 4 Credentials Provider Plug-in
28 4. Additional Resources
32 ----------------------------------------------------------------------
36 Beginning with "Kerberos for Windows" version 2.6.5, a MSI installer
37 option is available for those who wish to use "Windows Installer"
38 for installing Kerberos and for organizations that wish to deploy
39 Kerberos through Group Policy.
41 This document provides a guide for authoring transforms used to
42 customize the MSI package for a particular organization. Although
43 many settings can be deployed via transforms, in an Active
44 Directory environment it is advisable to deploy registry settings
45 and configuration files through group policy and/or startup
46 scripts so that machines where "Kerberos for Windows" is already
47 installed will pick up these customizations.
51 The information in this document applies to MSI packages
52 distributed with "Kerberos for Windows" releases from 2.6.5 and
53 onwards or MSI packages built from corresponding source
54 releases. Not all releases support all the configuration options
57 Authoring a "Windows Installer" transform requires additional
58 software for editing the MSI database tables and generating the
59 transform from the modified MSI package. ORCA.EXE and MSITRAN.EXE
60 which are included in the Windows Platform SDK ("Windows Installer"
61 SDK) can be used for this purpose.
63 For reference, the schema for the MSI package is based on
64 SCHEMA.MSI distributed with the Platform SDK.
66 For general information about "Windows Installer", refer to :
68 http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp
70 For general information about authoring MSI transforms, refer to :
72 http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp
74 The remainder of this document assumes some familiarity with
75 authoring transforms. While the MSDN documentation for Windows
76 Installer is a bit dense, it is recommended that you read through
77 the guide on MSI transforms found at the second link above. Also
78 MSDN includes a step-by-step example for creating a transform at:
80 http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp
82 1.2 Authoring a Transform
84 Transforms describe a set of modifications to be performed on an
85 existing MSI for the purpose of customizing it. This is
86 ordinarily done by making a copy of the MSI to be customized,
87 modifying the copy and then using the old and the new MSI to
91 > copy kfw.msi kfw-modified.msi
93 (edit the kfw-modified.msi to include the necessary changes)
95 > msitran -g kfw.msi kfw-modified.msi kfw-transform.mst
97 (generates kfw-transform.mst, which is the transform)
99 Transforms have an extension of .mst. 'msitran' is a tool
100 distributed as part of the "Windows Installer" SDK (which in turn is
101 a part of the Windows Platform SDK).
103 You can test a transform by :
105 > copy kfw.msi kfw-test.msi
106 > msitran -a kfw-transform.mst kfw-test.msi
108 and then checking the resulting kfw-test.msi to see if all the
109 changes you have made above to kfw-modified.msi is present in
110 kfw-test.msi. 'msitran' will complain if some modification in the
111 transform can not be successfully applied.
113 As mentioned above, you can use a tool like ORCA.EXE to edit the
114 MSI databases directly when editing kfw-modified.msi. More
115 details are given below.
117 ----------------------------------------------------------------------
119 2. Configuration Options
121 The logic necessary to implement all of the settings described in
122 the release notes are present in the MSI. Most of these can be
123 controlled by setting the corresponding properties to the desired
124 value. Some settings may require modifying existing registry
125 entries (though not recommended) or adding new resources (like
126 files or registry keys). Instructions for performing these tasks
129 2.1 Configurable Properties
131 Most configurable properties correspond to registry keys or
132 values. Please refer to the release notes for more information
133 about how these registry settings are used.
135 Due to the logic invoked based on the existence of these registry
136 keys or values, they are only set if the associated property is
137 defined to have a non null value. If the associated property is
138 not defined in the MSI, the registry key or value will not be
139 touched. By default, the MSI does not contain these properties
140 and hence will not set the registry keys. You will need to add
141 properties as needed to the MSI.
143 When one of the configurable properties is set, the installer will
144 use the property value to set the corresponding setting in the
145 HKEY_LOCAL_MACHINE registry hive. HKEY_CURRENT_USER hive is not
146 touched by the installer.
148 For each property, the associated registry setting is referenced
149 by the same text used in the release notes ('Registry and
150 Environment Settings' section).
152 Strings are quoted using single quotes (e.g. 'a string'). An empty
153 string is denoted as ''. Note that you can't author null values
154 into the 'Property' table.
156 Numeric values should be authored as decimal strings.
158 2.1.1 Setting Properties
160 In order to set a property,
162 a. Open the MSI in ORCA.EXE
164 b. Select the 'Property' table from the list of tables on the left.
166 c. Find the property in the list of properties on the right,
167 double click the value and type the new value.
169 d. If the property does not exist in the property list, right
170 click the list and select 'Add Row', type the property name
171 and the desired value.
173 2.1.2 Leash GUI properties
175 LEASHCREATEMISSINGCONFIG
176 Setting: automatic generation of missing configuration files
179 LEASHAUTORENEWTICKETS
180 Setting: automatic ticket renewal
184 Setting: automatic importation of MSLSA credentials
185 Values : '0', '1' or '2'
187 2.1.3 Leash32 DLL properties
190 Setting: default lifetime (minutes)
194 Setting: default renew till time (minutes)
198 Setting: default renewable tickets setting
202 Setting: default forwardable tickets setting
206 Setting: default addressless tickets setting
210 Setting: default proxiable tickets setting
214 Setting: default public ipv4 address
217 LEASHHIDEKINITOPTIONS
218 Setting: hide advanced kinit options in dialog
222 Setting: minimum kinit dialog lifetime
226 Setting: maximum kinit dialog lifetime
230 Setting: minimum kinit dialog renew till time
234 Setting: maximum kinit dialog renew till time
238 Setting: upper case realm
242 Setting: timesync host
245 LEASHPRESERVEKINITOPTIONS
246 Setting: Preserve ticket initialization dialog options
249 2.1.4 Kerberos 5 properties
252 Setting: location of krb5.ini
256 Setting: Default credentials cache name
260 Setting: MSLSA: credential cache client principal identity generation
263 2.2 Existing Registry Entries
265 You can change existing registry values subject to the
266 restrictions mentioned in the Windows Platform SDK. Pay special
267 attention to component keypaths and try to only change the 'Value'
268 column in the 'Registry' table. If you want to add additional
269 registry keys please refer to section 3 (Additional Resources).
271 2.3 Replacing Configuration Files
273 The Kerberos configuration files (krb5.ini, krb.con, krbrealm.con)
274 can be replaced by your own configuration files. These files are
275 contained in separate MSI components so that you can disable them
278 The recommended method for replacing these files is to first
279 disable the components containing the configuration files that you
280 want to replace, and then add new components for the replacement
281 files. This is outlined below (assuming you are using ORCA.EXE to
282 author the transform).
284 Note that transforms are not a good way to add a new file as an
285 embedded stream. The method outlined here places the file in the
286 same directory as the MSI for deployment.
288 The walkthrough below is to add a custom 'krb5.ini' file.
290 1) Disable the component that contains the configuration file that
293 1.1) Locate and select the 'Component' table in the 'Tables'
296 1.2) In the Component table, locate the component you need to
297 change ( Ctrl-F invokes the 'Find' dialog). The component
298 names are listed below in section 2.3.1. For this
299 example, the component name is 'cmf_krb5_ini'.
301 1.3) Go to the 'Condition' column of the component.
303 1.4) Enter a condition that evaluates to
304 false. I.e. 'DONOTINSTALL'. (Note that an undefined
305 property always evaluates to false).
307 Note that you can also use this step to disable other
308 configuration files without providing replacements.
310 2) Add a new component containing the new configuration file.
312 2.1) Select the 'Component' table in the 'Tables' list.
314 2.2) Select 'Tables'->'Add Row' (Ctrl-R).
316 2.3) Enter the following :
318 Component : cmf_my_krb5_ini
319 ComponentId : {835BAAC6-5E54-BFFE-DBCB2F240711}
320 Directory_ : WindowsFolder
323 KeyPath : fil_my_krb5_ini
325 Note that the ComponentId is an uppercase GUID. You can
326 generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of
327 which are included in the Platform SDK.
329 The Attributes value of 144 is a sum of
330 msidbComponentAttributesPermanent (16) and
331 msidbComponentAttributesNeverOverwrite (128). This
332 ensures that local modifications are not overwritten or
333 lost during an installation or uninstallation. These are
334 the same settings used on the default configuration files.
336 'fil_my_krb5_ini' is a key into the 'File' table which we
339 3) Add a new feature to hold the new component.
341 3.1) Select the 'Feature' table.
343 3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the
346 Feature : fea_my_krb5_ini
347 Feature_Parent: feaKfwClient
355 It is important to create the new feature under the
356 'feaKfwClient' feature, which will ensure that the
357 configuration file will be installed when the client
358 binaries are installed.
360 Setting 'Display' to 0 will hide this feature from the
361 feature selection dialog during an interactive
362 installation. A value of 30 for 'Level' allows this
363 feature to be installed by default (on a 'Typical'
366 The 'Attributes' value is
367 msidbFeatureAttributesDisallowAdvertise (8), which is set
368 on all features in the KfW MSI. The KfW MSI is not
369 designed for an advertised installation.
371 4) Join the component and the feature.
373 4.1) Select the 'FeatureComponents' table.
375 4.2) Add a new row with the following values:
377 Feature : fea_my_krb5_ini
378 Component : cmf_my_krb5_ini
380 5) Add an entry to the 'File' table.
382 5.1) Select the 'File' table.
384 5.2) Add a new row with the following values:
386 File : fil_my_krb5_ini
387 Component_ : cmf_my_krb5_ini
389 FileSize : (enter file size here)
393 (leave other fields blank)
395 The 'Attributes' value is msidbFileAttributesNonCompressed
396 (8192). This is because we will be placing this file in
397 the same directory as the MSI instead of embedding the
398 file in it. Transforms do not support updating compressed
399 sources or adding new cabinet streams.
401 Finally, the 'Sequence' value of 1000 will be used later
402 to distinguish the file as being in a separate source
403 location than the other files in the MSI.
405 6) Set a media source for the file.
407 6.1) Select the 'Media' table.
409 6.2) Add a row with the following values :
414 (leave other fields blank)
416 The sequence number of 1000 designates this as the media
417 source for the newly added file.
419 2.3.1 Components for Configuration Files
421 krb5.ini : 'cmf_krb5_ini' (ID {C1AF0670-BBF1-4AA6-B2A6-6C8B1584A1F4})
422 krb.con : 'cmf_krb_con' (ID {5391A051-CF14-45FF-BF64-CEE78A7A90C2})
423 krbrealm.con: 'cmf_krbrealm_con' (ID {D667B54F-1C98-43FB-87C6-0F0517623B90})
425 ----------------------------------------------------------------------
427 3. Network Identity Manager Settings
429 Configuration options for Network Identity Manager (NetIDMgr) are
430 stored in the Windows registry. Each option can exist in the user
431 registry hive or the machine registry hive or both. The value
432 defined in the user hive always overrides the value defined in the
433 machine registry hive.
435 All registry keys used by NetIDMgr exist under the key
436 'Software\MIT\NetIDMgr' under the user and machine hive.
437 Deploying a specific configuration option can be achieved by
438 setting the corresponding registry value either by authoring the
439 keys into the MSI via a transform or by deploying a registry based
440 Group Policy Object. For deployment purposes, it is advisable to
441 deploy values to the machine hive instead of the user hive.
442 Deploying per user settings via the MSI is not supported at this
445 3.1 Common settings for NetIDMgr
447 The following sections describe a partial list of options that can
448 be specified for NetIDMgr. Each set of options is described as a
449 set of registry values. Each section is preceded by the registry
450 key under which the values of that section must be specified.
452 3.1.1 General settings
454 Registry key : 'Software\MIT\NetIDMgr\CredWindow'
457 Value : AllowAutoRenew
458 Type : DWORD (Boolean)
461 Enables automatic credential renewal.
464 Value : AllowCritical
465 Type : DWORD (Boolean)
468 Enables critical warning notifications.
472 Type : DWORD (Boolean)
475 Enables warning notifications.
478 Value : AutoDetectNet
479 Type : DWORD (0 or 1)
482 If '1', automatically detects network connectivity changes.
483 Network connectivity change notifications are then sent out to
484 individual plug-ins which can perform actions such as renewing
485 credentials or obtaining new credentials.
489 Type : DWORD (0 or 1)
492 If '1', imports credentials from the Windows LSA cache when
497 Type : DWORD (0 or 1)
500 If this value is '1', shows the new credentials dialog if
501 there are no credentials when NetIDMgr starts.
505 Type : DWORD (0 or 1)
508 Start NetIDMgr when Windows starts
511 Value : AutoRenewThreshold
512 Type : DWORD (seconds)
515 Specifies the time period before credential expiration that will
516 trigger a credential renewal. Requires AllowAutoRenew to be enabled.
519 Value : CriticalThreshold
520 Type : DWORD (seconds)
523 Specifies the time period before credential expiration that will
524 trigger the second and final warning balloon. Requires AllowCritical
528 Value : DefaultAllowAutoRenew
529 Type : DWORD (Boolean)
532 Specifies the Default AllowAutoRenew value for new identities.
535 Value : DefaultSticky
536 Type : DWORD (0 or 1)
539 If '0', new identities will not be pinned to the display by default.
540 If '1', new identities will be pinned to the display by default.
543 Value : DefaultWindowMode
544 Type : DWORD (0 or 1)
547 If '0', Advanced mode is used
548 If '1', Basic mode is used
550 Value : DestroyCredsOnExit
551 Type : DWORD (0 or 1)
554 If '1', all credentials will be destroyed when NetIDMgr exits.
557 Type : DWORD (0 or 1)
560 If '1', when NetIDMgr application is closed, it will continue
561 to run in the Windows System Notification Area (System Tray).
562 The application can be exited by choosing the 'Exit' menu
563 option. If '0', closing the application will cause it to
567 Type : DWORD (0 or 1)
570 If '1', debugging information is logged to %TEMP%\nidmdbg.log
573 Value : NotificationAction
574 Type : DWORD (50008 or 50025)
577 If '50025', the default notification icon menu action will be to
578 Show the Network Identity Manager application windows.
579 If '50008', the default notification icon menu action will be to
580 display the Obtain New Credentials dialog.
583 Value : RefreshTimeout
584 Type : DWORD (seconds)
587 Specifies how often the credential list is refreshed.
590 Value : RenewAtHalfLife
591 Type : DWORD (Boolean)
594 Enables the use of a half-life algorithm for credential renewals.
597 Value : WarnThreshold
598 Type : DWORD (seconds)
601 Specifies the time period before credential expiration that will
602 trigger the first warning balloon. Requires AllowWarn to be enabled.
605 3.1.2 Common Plug-in settings
607 Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\<plug-in name>'
610 The '<plug-in name>' is one of the following for the standard plug-ins :
612 Krb5Cred : Kerberos 5 credentials provider
613 Krb5Ident: Kerberos 5 Identity provider
615 Consult the vendors for the plug-in names of other third party
616 plug-ins. Additionally, the plug-ins configuration panel in the
617 NetIDMgr application provides a list of currently registered
621 Type : DWORD (0 or 1)
624 If '1', the plug-in will not be loaded.
627 Type : DWORD (0 or 1)
630 If '1', the plug-in will not be unloaded from memory when the
631 NetIDMgr application exits or if the plug-in is stopped. The
632 plug-in binary will remain loaded until NetIDMgr terminates.
634 3.1.3 Settings for the Kerberos 5 credentials provider plug-in
636 Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
639 Value : AutoRenewTickets
640 Type : DWORD (0 or 1)
643 If '1', automatically renews expiring tickets. The thresholds
644 at which renewals happen are controlled in general NetIDMgr
647 Value : CreateMissingConfig
648 Type : DWORD (0 or 1)
651 If '1', creates any missing configuration files.
654 Type : DWORD (0, 1 or 2)
657 Controls how credentials are imported from the MSLSA cache.
658 This setting can be one of the following.
662 2 : Only if the principal matches
664 Note that this setting only controls how the Kerberos 5
665 plug-in handles importing of credentials from the MSLSA cache.
666 Whether or not credentials are imported at start-up is
667 controlled via general NetIDMgr settings as described in
671 Type : DWORD (0 or 1)
674 If '1', includes credentials from the MSLSA cache in the
678 Value : UseFullRealmList
679 Type : DWORD (0 or 1)
682 If '1', uses the full realms list as determined by parsing the
683 krb5.ini configuration file in the new credentials dialog box.
684 If this is '0', only the last recently used list of realms
688 3.1.3.1 Per-identity settings
690 Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\<principal name>\Krb5Cred'
691 Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters\Realms\<realm>'
692 Registry key 3: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
695 These settings are generally maintained per-identity. However, if
696 a particular setting is not specified for an identity or if the
697 identity is new, then the values will be looked up in the
698 per-realm configuration key and in the global parameters key in
699 turn. Global defaults should be set in the global parameters key
703 Type : DWORD (boolean)
706 Determines if addressless tickets will be obtained for new identities.
709 Value : DefaultLifetime
713 Default ticket lifetime, in seconds.
715 Value : DefaultRenewLifetime
719 Default renewable lifetime, in seconds.
723 Default : <not specified>
725 Specifies a comma delimited list of FILE credential caches to monitor
729 Type : DWORD (0 or 1)
732 Obtain forwardable tickets.
738 Maximum lifetime, in seconds. This value is used to set the
739 range of the user interface controls that allow setting the
740 lifetime of a ticket.
742 Value : MaxRenewLifetime
746 Maximum renewable lifetime, in seconds. The value is used to
747 set the range of the user interface controls that allow
748 setting the renewable lifetime of a ticket.
754 Minimum lifetime, in seconds. This value is used to set the
755 range of the user interface controls that allow setting the
756 lifetime of a ticket.
758 Value : MinRenewLifetime
762 Minimum renewable lifetime, in seconds. This value is used to
763 set the range of the user interface controls that allow
764 setting the renewable lifetime of a ticket.
767 Type : DWORD (0 or 1)
770 Obtain proxiable tickets.
773 Type : DWORD (0 or 1)
776 Obtain renewable tickets.
779 ----------------------------------------------------------------------
781 4. Additional Resources
783 If you want to add registry keys or files you need to create new
784 components and features for those.
786 Add new features under the 'feaKfwClient' feature and set the
787 'Level' column for those features to equal the 'Level' for their
788 parent features for consistency. Note that none of the features
789 in the "Kerberos for Windows" MSI package are designed to be
790 installed to run from 'source' or 'advertised'. It is recommended
791 that you set 'msidbFeatureAttributesFavorLocal' (0),
792 'msidbFeatureAttributesFollowParent' (2) and
793 'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new
796 If you are creating new components, retain the same component GUID
797 when creating new transforms against new releases of the Kerberos
800 It is beyond the scope of this document to provide a comprehensive
801 overview of how to add new resources through a transform. Please
802 refer to the "Windows Installer" documentation for details. The
803 relevant section is at :
805 http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp
807 A sample walkthrough of adding a new configuration file is in
810 ----------------------------------------------------------------------
814 The MSI package is designed to uninstall previous versions of
815 "Kerberos for Windows" during installation. Note that it doesn't
816 directly upgrade an existing installation. This is intentional
817 and ensures that development releases which do not have strictly
818 increasing version numbers are properly upgraded.
820 Versions of Kerberos that are upgraded by the MSI package are :
822 1) "Kerberos for Windows" 32-bit i386 MSI package
824 Upgrade code {61211594-AAA1-4A98-A299-757326763CC7}
827 2) "Kerberos for Windows" 64-bit amd64 MSI package
829 Upgrade code {6DA9CD86-6028-4852-8C94-452CAC229244}
832 2) "MIT Project Pismere Kerberos for Windows" MSI package and
833 "MIT SWRT Kerberos for Windows" MSI
835 Upgrade code {83977767-388D-4DF8-BB08-3BF2401635BD}
838 3) "Kerberos for Windows" NSIS package
842 Note that versions of the "Kerberos for Windows" NSIS package had
843 a bug where it couldn't be uninstalled properly in unattended
844 mode. Therefore the MSI package will not try to uninstall an
845 "Kerberos for Windows" NSIS package if running unattended. This
846 means that group policy based deployments will fail on machines
847 that have the "Kerberos for Windows" NSIS package installed.
849 Note that the NSIS package is only available for 32-bit i386.
850 You cannot install both the 32-bit NSIS and 64-bit amd64 MSI
851 packages on the same machine. To install both 32-bit and 64-bit
852 KFW, you must use the MSI packages of both.
854 If you have used a different MSI package to install Kerberos for
855 Windows and wish to upgrade it you can author rows into the
856 'Upgrade' table to have the "Kerberos for Windows" MSI replace these
857 installations for you.
859 ----------------------------------------------------------------------
863 (Q/A's will be added here as needed)
865 ----------------------------------------------------------------------