1.0 Installing the WinSock version of MIT's Windows Kerberos If you already have the MIT or University of Michigan Windows Kerberos installed, just copy KClient.dll into the directory where containing Windows Kerberos. If you need to install Windows Kerberos and KClient.dll, here are some setup details. The example below is for MIT's Windows Kerberos. 1) Create the directory c:\net\kerb and copy in the following files: o krbv4win.dll o kclient.dll o krb.con o kerbmem.exe (optional) 2) Add c:\net\kerb to the path. For information on using a directory other than c:\net\kerb, see the section Customizing your installation. 3) Edit the text file krb.con. The krb.con file used at Cornell is supplied as a template. Before editing, krb.con will look like this: CIT.CORNELL.EDU CIT.CORNELL.EDU kerberos.cit.cornell.edu On the first line, replace CIT.CORNELL.EDU with your Kerberos realm. On the second line, again replace CIT.CORNELL.EDU with your Kerberos realm, and replace kerberos.cit.cornell.edu with the host name of your Kerberos server. Watch out, the realm entry is case sensitive. For example, if your Kerberos realm is MST.EDU and your Kerberos server is tomservo.mst.edu, your krb.con file would look like: MST.EDU MST.EDU tomservo.mst.edu 4) The following line needs appear in the services file used by your Windows Sockets stack. Services is usually located in the directory in which your stack resides. Although some stacks, like LAN Workplace, keep the services file in a related subdirectory. kerberos 750/udp kerberos # kerberos UDP 5) The Date and Time on the machine running Microsoft Windows will need to be "accurately" set. If the date or time is off "too far", Kerberos authentication will not work. Both the Kerberos server and the Kerberos client depend on having clocks that are synchronized within a certain margin. Storing tickets - file or memory? The choice is yours. Previous versions of MIT's Windows Kerberos required a small memory resident (TSR) program, kerbmem.exe, be run prior to starting Windows. This set aside a small chunk of memory in DOS in which to store Kerberos tickets. Kerbmem.exe is now optional, and as an alternative, Windows Kerberos can store tickets in a file on disk. There is some controversy over storing Kerberos tickets on disk for microcomputer operating systems like Windows, OS/2, and Macintosh. If stroring Kerberos tickets on disk gives you the heebie-jeebies, go with kerbmem.exe. If running yet another DOS TSR gives you the heebie-jeebies, go with tickets on disk. If kerbmem.exe is not loaded, Windows Kerberos will store tickets in a file on disk. You can specify the name of the ticket file and the directory in which it is stored via the environment variable KRBTKFILE. For example, to store your tickets in a file called ticket.krb in the directory c:\net\kerb, use the follwing statement: set KRBTKFILE= c:\net\kerb\ticket.krb If the environment variable KRBTKFILE is not used, the default value c:\tmp\ticket.krb will be used. That is, tickets will be stored in the file ticket.krb in c:\tmp; which means you'll have to make sure the directory c:\tmp exists, or Windows Kerberos will report an error. Customizing your installation. The previous installation example suggested using the path c:\net\kerb. Actaully, the files krbv4win.dll and kclient.dll can go anywhere on your path. However, the file krb.con does have to go into a specific directory named kerb. In a somewhat odd way, you do have control over where the kerb directory lives. The environment variable NDIR can specify the drive and directory under which the kerb directory can live. For example: set NDIR=d:\mandarin means that Windows Kerberos will look for the settings file krb.con in d:\mandarin\kerb. Disclaimer: this is an MIT convention. If the environment variable NDIR is not used, the path c:\net\kerb is used by default.