This page was last updated 11/04/07
Network Identity Manager 1.3.1 and Kerberos for Windows 3.2.2 were released on 22 October 2007. Download MIT KFW 3.2.2 from MIT or digitally signed versions from the Secure Endpoints web server:
Planning for KFW 3.3 and KFW 4.0 are currently underway. KFW 3.3 will be an incremental release which adds new features to the existing code base targeted for a Fourth Quarter 2007 release. KFW 4.0 will be a much more substantial upgrade providing support for Kerberos Identity Management API, native 64-bit process support, and no support for Kerberos v4 that is targeted for a release during the Third Quarter of 2008 along with Kerberos v5 1.7.
If after reviewing the following list of features your organization decides to help support the on-going development of Network Identity Manager, please send e-mail to: netidmgr@secure-endpoints.com.
The NIM Kerberos v5 Credential Module does a poor job of providing an interface for graphically editing the Kerberos v5 Configuration which is stored in the krb5.ini file. With the release of Microsoft Vista and its User Account Control (UAC) functionality, it become necessary functionality that alters system configuration whether stored in files or the registry be removed from tools that are not executed with administrator privileges. Otherwise, a failed attempt to write the configuration will automatically result in the write being redirected to a virtualized copy of the file or registry key whose lifetime is the current session. Won't the users be surprised when their configuration changes disappear when they logout.
The proposal is to remove the existing Configuration Editor functionality from the NIM Kerberos v5 module and replace it with a Microsoft Management Console Snap-In that supports the existing functionality plus domain_realm mappings and capaths. The MMC would be made accessible via a button on the NIM Options->Kerberos v5 configuration page. This button would launch the Kerberos v5 MMC as an administrative process as required by the UAC specifications.
This same MMC can be used as an alternative to Microsoft's KSETUP for configuring the Microsoft Kerberos SSP. The Vista Kerberos SSP supports domain_realm mappings and capaths although there is currently no user interface available to configure them.
Once the Microsoft Management Console Snap-In has been implemented, the Network Identity Manager Kerberos v5 Realms page will be removed and the Configuration page will be re-implemented to remove those operations that require administrator privileges. In their place a button to launch the Kerberos Management Console with privileges will be added.
Estimated implementation time: 80 to 110 hours
When a property sheet is displayed for an identity or credential the contents of the property sheet are a snapshot of the object's state at a fixed point in time. Instead, the property sheet should refresh automatically over time.
Estimated implementation time: 16 to 24 hours
Microsoft Vista permits Kerberos for Windows to write to the LSA credentials store. This will permit NIM to make credentials acquired via Kerberos for Windows to Microsoft Kerberos SSP applications whether or not the user logged in with a Domain Account. Even when a Domain Account has been used, Kerberos for Windows can be used to overwrite the credentials with those of a new identity.
NIM should be modified to support a new MSLSA mode that creates a backup of the LSA identity within an API credential cache and writes the default identity's credentials to the LSA credential cache.
Estimated implementation time: 32 to 48 hours.
NIM is designed to support multiple identity providers at the same time. However, the work to do so has not been completed.
Estimated implementation time: 60 to 90 hours.
This feature will be included in the KFW 3.3 release.
PKINIT functionality is being added to MIT's Kerberos implementation with a dependency on OpenSSL. A PKINIT identity provider for NIM should be implemented permitting the acquisition of Kerberos v5 initial ticket granting tickets via the use of a certificate or smart card.
Estimated implementation time: 60 to 80 hours
This feature will be included in the KFW 3.3 release.
Users should be permitted to configure per Identity icons and notification sounds.
Estimated implementation time: 16 to 24 hours
NIM should be enhanced to take advantage of the latest user interface functionality provided by Aero.
Estimated implementation time: to be determined
NIM should have a new identity wizard that walks users through the process of configuring a new network identity by selecting the appropriate identity provider and then selecting which credentials from the available credential managers should be acquired when the user authenticates the identity.
Estimated implementation time: 24 to 32 hours
This feature will be included in the KFW 3.3 release.
NIM can detect that the Vista Sidebar is open and install itself as a running widget. The widget would provide the contents of the "basic" identity view listing just the identities, whether or not they have initial credentials, when those credentials expire, and permit the selection of the default identity. The addition of the Vista Widget support would not alter the existing functionality of Network Identity Manager.
Estimate implementation time: 54 to 72 hours
NIM can detect that Google Desktop Sidebar is open and install itself as a running gadget. The gadget would provide the contents of the "basic" identity view listing just the identities, whether or not they have initial credentials, when those credentials expire, and permit the selection of the default identity. The addition of the Google Desktop Gadget support would not alter the existing functionality of Network Identity Manager.
Estimate implementation time: 54 to 72 hours
On Microsoft Vista, applications are supposed to store their configuration files under the \All Users\Application Data\Company\Product\ path instead of in the Windows directory or the Program Files directory. This is to enable 32-bit and 64-bit versions of the applications to share the same instance of the configuration files as well as permit application specific access control.
Estimated implementation time: 4 to 8 hours
Send additional feature requests to netidmgr@secure-endpoints.com.