Network Identity Manager (NetIdMgr) is a graphical tool designed to simplify the management of network identities and their credentials which are used by network authentication protocols while providing secure access to network services.  When NetIDMgr is used with Kerberos v5 each network identity is a unique Kerberos principal name and the credentials are Kerberos v5 tickets.  Kerberos v5 tickets can be used by NetIDMgr to obtain Andrew File System (AFS) tokens and X.509 public key certificates if the appropriate plug-ins are installed.

When you log into Microsoft Windows with a domain account, your account name and the Windows Domain name when combined form a Kerberos principal name.  As an example, `WINDOWS\jaltman' is actually a short form representation of jaltman@WINDOWS.SECURE-ENDPOINTS.COM.   Microsoft Windows uses Kerberos-based network identities for all domain-based network authentications.

Since Microsoft Windows already provides a network identity, why do you need NetIdMgr?  Here are some examples:

  1. Your only network identity is your Windows Domain account but you have third-party applications that rely on MIT Kerberos for authentication for access to remote files, e-mail, web data, or other services.  In this scenario, NetIdMgr will automatically import your Windows Domain credentials into a form that can be used by applications that rely on MIT Kerberos.
  2. You do not have a Windows Domain account but you must obtain network credentials in order to securely access a network service.  In this scenario, NetIdMgr can be used to obtain new credentials for network identities and can automatically renew them before they expire.
  3. You have Kerberos credentials for a network identity and you have third-party applications that require an alternative form of network credential, such as an AFS token or a X.509 certificate, which can be obtained via a Kerberos authentication.  In this scenario, NetIdMgr can automatically use your existing credentials to obtain and renew the additional network credentials types.
  4. You have a Windows Domain account but you need to authenticate to a service belonging to a Kerberos realm outside the Windows Domain.  In this scenario, NetIdMgr can be used to manage multiple network identities, the Windows Domain identity as well as the additional Kerberos identity required for the external network services. 
  5. You have multiple network identities within the same Kerberos realm which are used for different roles.  For example, an unprivileged user identity and a privileged identity that is only meant to be used for system administration.  In this scenario, NetIdMgr can be used to obtain credentials for all of your identities and automatically renew them as necessary.

NetIdMgr’s automated credential acquisition and renewal makes it an invaluable tool which provides users with a Single Sign-on experience.

NetIdMgr is most commonly configured as a StartUp item that runs an icon in the Taskbar Notification Area until you logout.  While running, NetIDMgr automatically renews your credentials, notifies you of pending expirations and prompts you when a Kerberized application requires credentials that have not already been obtained. 

When configured to do so, NetIdMgr will prompt you immediately after it starts to obtain Kerberos credentials.  This is often referred to as logging on to Kerberos.  NetIdMgr does not perform a logon in the sense of the Windows Logon Service.  A logon service would do more than manage Kerberos tickets. A logon service would authenticate you to the local machine, validate access to your local file system and performs additional set-up tasks. These are beyond the scope of NetIdMgr. NetIdMgr simply allows you to manage Kerberos identities on behalf of compatible applications and to change your Kerberos password.

NetIDMgr is distributed with the Kerberos v5 and Kerberos v4 providers (32-bit only). Providers for additional credential types including AFS tokens and KCA certificates are available as separate distributions.  The OpenAFS provider, which is required for supporting AFS tokens, is distributed as part of OpenAFS for Windows.  The KCA provider is distributed by Secure Endpoints Inc.

Getting started

Information for developers

If you are interested in developing credential providers or extending the features of NetIDMgr, your first stop should be the NetIDMgr SDK which can be downloaded from Secure Endpoints Inc..

Contact the netidmgr@secure-endpoints.com mailing list with questions or comments.

External links