Iowa State University

ITInformation Technology

Kerberos Reconfiguration Required by May 15

This news item expired May 25, 2008. It may contain out-of-date information.
Kerberos needs to be reconfigured on or before May 15, 2008 in order to disable a "Kerberos-5-to-4" ticket generation that is currently occurring. This action was happening during the "transition period" so that both Kerberos-5 and Kerberos-4 credentials are available. If a configuration change is not done by May 15 an error will begin to occur.

Please refer to the following information about configuring Kerberos before May 15 for each OS.

Kerberos for Windows
You may be able to perform this Kerberos for Windows (KfW) reconfiguration prior to May 15 provided all applications on your system are recent versions which use Kerberos-5. Applications of concern and their current versions are:

- KfW 3.2.2
- PCLPR 2.3.1
- Kpoprelay 1.0.0.1 (replaces SideCar, which is obsolete)
- WinZephyr 2.0 (available soon)
- Eudora Pro 7.1

If you have not upgraded the above applications then changing the KfW configuration early will break all old applications immediately. In any case, old applications using Kerberos-4 will cease to work beginning May 15.

Instructions for the "Kerberos for Windows" configuration tool
Download the "Kerberos for Windows" configuration tool

Kerberos for Mac OS X
If the Kerberos configuration change is not done by May 15, you will experience these problems:

- If you have configured your system to use your Kerberos password on login and try to login with your kerberos password, the system won't let you login. No error message will be displayed -- The Login Window will just shake as if the username or password were invalid.

- If you login with your local password and run kinit from the command line or from the Kerberos.app, you will get this error: "Kerberos Login Failed: Can't send request (send_to_kdc)"

In both cases above, the system pauses about 20-25 seconds before failing.

The only Mac OS X application that was distributed by IT Services that used Kerberos 4 tickets was MacZephyr. MacZephyr will cease to function starting May 15, or when you reconfigure Kerberos before May 15. A new Zephyr Utility will be available soon for users wanting to use Zephyr on their Mac OS X system.

IT Services has put together a Kerberos Configuration installer that will install the Kerberos preference file that has been configured for Kerberos 5 for use at Iowa State.

"How To Configure Kerberos" instructions for Mac OS X
Download the Kerberos Configuration installer for Mac OS X