446
452
----------------------------------------------------------------------
448
3 Additional Resources
454
3. Network Identity Manager Settings
456
Configuration options for Network Identity Manager (NetIDMgr) are
457
stored in the Windows registry. Each option can exist in the user
458
registry hive or the machine registry hive or both. The value
459
defined in the user hive always overrides the value defined in the
460
machine registry hive.
462
All registry keys used by NetIDMgr exist under the key
463
'Software\MIT\NetIDMgr' under the user and machine hive.
464
Deploying a specific configuration option can be achieved by
465
setting the corresponding registry value either by authoring the
466
keys into the MSI via a transform or by deploying a registry based
467
Group Policy Object. For deployment purposes, it is advisable to
468
deploy values to the machine hive instead of the user hive.
469
Deploying per user settings via the MSI is not supported at this
472
3.1 Common settings for NetIDMgr
474
The following sections describe a partial list of options that can
475
be specified for NetIDMgr. Each set of options is described as a
476
set of registry values. Each section is preceded by the registry
477
key under which the values of that section must be specified.
479
3.1.1 General settings
481
Registry key : 'Software\MIT\NetIDMgr\CredWindow'
485
Type : DWORD (0 or 1)
488
If this value is '1', shows the new credentials dialog if
489
there are no credentials when NetIDMgr starts.
492
Type : DWORD (0 or 1)
495
If '1', imports credentials from the Windows LSA cache when
498
Value : AutoDetectNet
499
Type : DWORD (0 or 1)
502
If '1', automatically detects network connectivity changes.
503
Network connectivity change notifications are then sent out to
504
individual plug-ins which can perform actions such as renewing
505
credentials or obtaining new credentials.
507
Value : DestroyCredsOnExit
508
Type : DWORD (0 or 1)
511
If '1', all credentials will be destroyed when NetIDMgr exits.
514
Type : DWORD (0 or 1)
517
If '1', when NetIDMgr application is closed, it will continue
518
to run in the Windows System Notification Area (System Tray).
519
The application can be exited by choosing the 'Exit' menu
520
option. If '0', closing the application will cause it to
523
3.1.2 Common Plug-in settings
525
Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\<plug-in name>'
528
The '<plug-in name>' is one of the following for the standard plug-ins :
530
Krb5Cred : Kerberos 5 credentials provider
531
Krb5Ident: Kerberos 5 Identity provider
532
Krb4Cred : Kerberos 4 credentials provider
534
Consult the vendors for the plug-in names of other third party
535
plug-ins. Additionally, the plug-ins configuration panel in the
536
NetIDMgr application provides a list of currently registered
540
Type : DWORD (0 or 1)
543
If '1', the plug-in will not be loaded.
546
Type : DWORD (0 or 1)
549
If '1', the plug-in will not be unloaded from memory when the
550
NetIDMgr application exits or if the plug-in is stopped. The
551
plug-in binary will remain loaded until NetIDMgr terminates.
553
3.1.3 Settings for the Kerberos 5 credentials provider plug-in
555
Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
558
Value : CreateMissingConfig
559
Type : DWORD (0 or 1)
562
If '1', creates any missing configuration files.
565
Type : DWORD (0, 1 or 2)
568
Controls how credentials are imported from the MSLSA cache.
569
This setting can be one of the following.
573
2 : Only if the principal matches
575
Note that this setting only controls how the Kerberos 5
576
plug-in handles importing of credentials from the MSLSA cache.
577
Whether or not credentials are imported at start-up is
578
controlled via general NetIDMgr settings as described in
582
Type : DWORD (0 or 1)
585
If '1', includes credentials from the MSLSA cache in the
588
Value : AutoRenewTickets
589
Type : DWORD (0 or 1)
592
If '1', automatically renews expiring tickets. The thresholds
593
at which renewals happen are controlled in general NetIDMgr
596
Value : UseFullRealmList
597
Type : DWORD (0 or 1)
600
If '1', uses the full realms list as determined by parsing the
601
krb5.ini configuration file in the new credentials dialog box.
602
If this is '0', only the last recently used list of realms
605
3.1.3.1 Per-identity settings
607
Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\<principal name>\Krb5Cred'
608
Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters\Realms\<realm>'
609
Registry key 3: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
612
These settings are generally maintained per-identity. However, if
613
a particular setting is not specified for an identity or if the
614
identity is new, then the values will be looked up in the
615
per-realm configuration key and in the global parameters key in
616
turn. Global defaults should be set in the global parameters key
619
Value : DefaultLifetime
623
Default ticket lifetime, in seconds.
629
Maximum lifetime, in seconds. This value is used to set the
630
range of the user interface controls that allow setting the
631
lifetime of a ticket.
637
Minimum lifetime, in seconds. This value is used to set the
638
range of the user interface controls that allow setting the
639
lifetime of a ticket.
642
Type : DWORD (0 or 1)
645
Obtain forwardable tickets.
648
Type : DWORD (0 or 1)
651
Obtain proxiable tickets.
654
Type : DWORD (0 or 1)
657
Obtain addressless tickets.
660
Type : DWORD (0 or 1)
663
Obtain renewable tickets.
665
Value : DefaultRenewLifetime
669
Default renewable lifetime, in seconds.
671
Value : MaxRenewLifetime
675
Maximum renewable lifetime, in seconds. The value is used to
676
set the range of the user interface controls that allow
677
setting the renewable lifetime of a ticket.
679
Value : MinRenewLifetime
683
Minimum renewable lifetime, in seconds. This value is used to
684
set the range of the user interface controls that allow
685
setting the renewable lifetime of a ticket.
687
3.1.4 Settings for the Kerberos 4 Credentials Provider Plug-in
689
Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\<principal name>\Krb4Cred'
690
Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred\Parameters'
693
Theses settings are also maintained per identity. However, if the
694
setting is not specified for some identity or if the identity is
695
new, then the global default will be used (registry key 2).
696
Global defaults should be set in the second registry key.
699
Type : DWORD (0 or 1)
702
If '1', obtains Kerberos 4 credentials. Note that currently,
703
only one identity can have Kerberos 4 credentials at one time.
706
Type : DWORD (0, 1 or 2)
709
Method for obtaining Kerberos 4 credentials. The values are
712
0 : Automatically determine method
714
2 : Use Kerberos 5 to 4 translation
716
Value : DefaultLifetime
720
The default ticket lifetime, in seconds.
726
Maximum lifetime, in seconds. This value is used to set the
727
range of the user interface controls that allow setting the
734
Minimum lifetime, in seconds. This value is used to set the
735
range of the user interface controls that allow setting the
738
----------------------------------------------------------------------
740
4. Additional Resources
450
742
If you want to add registry keys or files you need to create new
451
743
components and features for those.