Kerberos v5 Configuration

The Kerberos v5 Configuration tab allows you to alter the behavior of  the Kerberos v5 identity provider. 

In the Default Realm field, select a Kerberos realm from the dropdown list.

The Include all configured realms in New Credentials realm list determines whether all of the realms declared in the Kerberos v5 Configuration file are included in the realms list of the Obtain New Credentials dialog.  If disabled, only the realms previously used to obtain credentials are displayed.

The Configuration File field displays the path to the Kerberos v5 configuration file, krb5.ini.

The Kerberos libraries depend on configuration files for their proper operation.  When Create file if missing is checked, NetIdMgr will construct replacements for missing configuration files upon startup.  This is performed by extracting Kerberos configuration information from the local Windows registry and the Domain Name System.  The contents of the created file may then be edited using the Kerberos Properties Dialog.  [This functionality is not available in this release.]

The field labeled Host Name displays the name of your local machine.  The Domain Name field displays the domain to which your local machine currently belongs. 

The Import Tickets listbox allows you to configure how NetIdMgr interacts with the Microsoft Kerberos Authentication Provider.  NetIdMgr will automatically import Kerberos Tickets from the Microsoft LSA at startup depending upon the selected option and whether or not the Kerberos Authentication Provider was used for Windows Logon authorization. 

When the Windows Logon identity is imported and is configured as the default identity, the MIT credential cache will be used in preference to the MSLSA credential cache.


On Windows Vista, Windows 7, and Windows Server 2008 the operating system does not permit the importation of the Kerberos Ticket Granting Ticket if the active user account is a member of the Administrators or Domain Administrators groups and User Account Control (UAC) mode is active.

Kerberos v5 Credential Cache Configuration

The Kerberos v5 Credentials Caches page determines the contents of which credential caches types are displayed within the Network Identity Manager. The Include all API: credential caches check box determines whether or not CCAPI caches are included. CCAPI caches are the most frequently used with MIT Kerberos for Windows. The Include Windows LSA cache (MSLSA:) check box determines whether or not the Windows Logon Session Identity is displayed within NetIdMgr.

The Network Identity Manager can also display the contents of FILE: credential caches. Each FILE: credential cache must be manually added to the list