CoCalc -- msi-deployment-guide.txt

GitHub Repository: freebsd/freebsd-src
Path: blob/main/crypto/krb5/src/windows/installer/wix/msi-deployment-guide.txt
³⁴⁹¹⁴ views
1

2
Kerberos for Windows
3

4
                         MSI Deployment Guide
5

6
----------------------------------------------------------------------
7

8
     Contents
9

10
     1.    Introduction
11
     1.1     Requirements
12
     1.2     Authoring a Transform
13
     2.	   Configuration Options
14
     2.1     Configurable Properties
15
     2.1.1     Setting Properties
16
     2.1.2     Leash GUI Properties
17
     2.1.3     Leash DLL Properties
18
     2.1.4     Kerberos IV Properties
19
     2.1.5     Kerberos V Properties
20
     2.2     Existing Registry Entries
21
     2.3     Replacing Configuration Files
22
     3.    Network Identity Manager Settings
23
     3.1     Common Settings for NetIDMgr
24
     3.1.1     General Settings
25
     3.1.2     Common Plug-in Settings
26
     3.1.3     Settings for the Kerberos 5 Credentials Provider Plug-in
27
     3.1.4     Settings for the kerberos 4 Credentials Provider Plug-in
28
     4.	   Additional Resources
29
     5.	   Upgrades
30
     6.	   FAQ
31

32
----------------------------------------------------------------------
33

34
1.  Introduction
35

36
    Beginning with "Kerberos for Windows" version 2.6.5, a MSI installer
37
    option is available for those who wish to use "Windows Installer"
38
    for installing Kerberos and for organizations that wish to deploy
39
    Kerberos through Group Policy.
40

41
    This document provides a guide for authoring transforms used to
42
    customize the MSI package for a particular organization.  Although
43
    many settings can be deployed via transforms, in an Active
44
    Directory environment it is advisable to deploy registry settings
45
    and configuration files through group policy and/or startup
46
    scripts so that machines where "Kerberos for Windows" is already
47
    installed will pick up these customizations.
48

49
1.1 Requirements
50

51
    The information in this document applies to MSI packages
52
    distributed with "Kerberos for Windows" releases from 2.6.5 and
53
    onwards or MSI packages built from corresponding source
54
    releases.  Not all releases support all the configuration options
55
    documented here.
56

57
    Authoring a "Windows Installer" transform requires additional
58
    software for editing the MSI database tables and generating the
59
    transform from the modified MSI package.  ORCA.EXE and MSITRAN.EXE
60
    which are included in the Windows Platform SDK ("Windows Installer"
61
    SDK) can be used for this purpose.
62

63
    For reference, the schema for the MSI package is based on
64
    SCHEMA.MSI distributed with the Platform SDK.
65

66
    For general information about "Windows Installer", refer to :
67

68
    http://msdn.microsoft.com/library/en-us/msi/setup/windows_installer_start_page.asp
69

70
    For general information about authoring MSI transforms, refer to :
71

72
    http://msdn.microsoft.com/library/en-us/msi/setup/transforms.asp
73

74
    The remainder of this document assumes some familiarity with
75
    authoring transforms.  While the MSDN documentation for Windows
76
    Installer is a bit dense, it is recommended that you read through
77
    the guide on MSI transforms found at the second link above.  Also
78
    MSDN includes a step-by-step example for creating a transform at:
79

80
    http://msdn.microsoft.com/library/en-us/msi/setup/a_customization_transform_example.asp
81

82
1.2  Authoring a Transform
83

84
    Transforms describe a set of modifications to be performed on an
85
    existing MSI for the purpose of customizing it.  This is
86
    ordinarily done by making a copy of the MSI to be customized,
87
    modifying the copy and then using the old and the new MSI to
88
    generate a transform.
89

90
    E.g:
91
       > copy kfw.msi kfw-modified.msi
92
       
93
       (edit the kfw-modified.msi to include the necessary changes)
94

95
       > msitran -g kfw.msi kfw-modified.msi kfw-transform.mst
96

97
       (generates kfw-transform.mst, which is the transform)
98

99
    Transforms have an extension of .mst.  'msitran' is a tool
100
    distributed as part of the "Windows Installer" SDK (which in turn is
101
    a part of the Windows Platform SDK).
102

103
    You can test a transform by :
104

105
       > copy kfw.msi kfw-test.msi
106
       > msitran -a kfw-transform.mst kfw-test.msi
107

108
    and then checking the resulting kfw-test.msi to see if all the
109
    changes you have made above to kfw-modified.msi is present in
110
    kfw-test.msi.  'msitran' will complain if some modification in the
111
    transform can not be successfully applied.
112

113
    As mentioned above, you can use a tool like ORCA.EXE to edit the
114
    MSI databases directly when editing kfw-modified.msi.  More
115
    details are given below.
116

117
----------------------------------------------------------------------
118

119
2.  Configuration Options
120

121
    The logic necessary to implement all of the settings described in
122
    the release notes are present in the MSI.  Most of these can be
123
    controlled by setting the corresponding properties to the desired
124
    value.  Some settings may require modifying existing registry
125
    entries (though not recommended) or adding new resources (like
126
    files or registry keys).  Instructions for performing these tasks
127
    are below.
128

129
2.1 Configurable Properties
130

131
    Most configurable properties correspond to registry keys or
132
    values.  Please refer to the release notes for more information
133
    about how these registry settings are used.
134

135
    Due to the logic invoked based on the existence of these registry
136
    keys or values, they are only set if the associated property is
137
    defined to have a non null value.  If the associated property is
138
    not defined in the MSI, the registry key or value will not be
139
    touched.  By default, the MSI does not contain these properties
140
    and hence will not set the registry keys.  You will need to add
141
    properties as needed to the MSI.
142

143
    When one of the configurable properties is set, the installer will
144
    use the property value to set the corresponding setting in the
145
    HKEY_LOCAL_MACHINE registry hive.  HKEY_CURRENT_USER hive is not
146
    touched by the installer.
147

148
    For each property, the associated registry setting is referenced
149
    by the same text used in the release notes ('Registry and
150
    Environment Settings' section).
151

152
    Strings are quoted using single quotes (e.g. 'a string'). An empty
153
    string is denoted as ''.  Note that you can't author null values
154
    into the 'Property' table.
155

156
    Numeric values should be authored as decimal strings.
157

158
2.1.1  Setting Properties
159

160
    In order to set a property,
161

162
    a.  Open the MSI in ORCA.EXE
163

164
    b.  Select the 'Property' table from the list of tables on the left.
165

166
    c.  Find the property in the list of properties on the right,
167
        double click the value and type the new value.
168

169
    d.  If the property does not exist in the property list, right
170
        click the list and select 'Add Row', type the property name
171
        and the desired value.
172

173
2.1.2    Leash GUI properties
174

175
    LEASHCREATEMISSINGCONFIG
176
	Setting: automatic generation of missing configuration files
177
	Values : '0' or '1'
178

179
    LEASHAUTORENEWTICKETS
180
	Setting: automatic ticket renewal
181
	Values : '0' or '1'
182

183
2.1.3    Leash32 DLL properties
184

185
    LEASHLIFETIME
186
	Setting: default lifetime (minutes)
187
	Values : numeric
188

189
    LEASHRENEWTILL
190
	Setting: default renew till time (minutes)
191
	Values : numeric
192

193
    LEASHRENEWABLE
194
	Setting: default renewable tickets setting
195
	Values : '0' or '1'
196

197
    LEASHFORWARDABLE
198
	Setting: default forwardable tickets setting
199
	Values : '0' or '1'
200

201
    LEASHNOADDRESSES
202
	Setting: default addressless tickets setting
203
	Values : '0' or '1'
204

205
    LEASHPROXIABLE
206
	Setting: default proxiable tickets setting
207
	Values : '0' or '1'
208

209
    LEASHPUBLICIP
210
	Setting: default public ipv4 address
211
	Values : numeric
212

213
    LEASHHIDEKINITOPTIONS
214
	Setting: hide advanced kinit options in dialog
215
	Values : '0' or '1'
216

217
    LEASHLIFEMIN
218
	Setting: minimum kinit dialog lifetime
219
	Values : numeric
220

221
    LEASHLIFEMAX
222
	Setting: maximum kinit dialog lifetime
223
	Values : numeric
224

225
    LEASHRENEWMIN
226
	Setting: minimum kinit dialog renew till time
227
	Values : numeric
228

229
    LEASHRENEWMAX
230
	Setting: maximum kinit dialog renew till time
231
	Values : numeric
232

233
    LEASHUPPERCASEREALM
234
	Setting: upper case realm
235
	Values : '0' or '1'
236

237
    LEASHTIMEHOST
238
	Setting: timesync host
239
	Values : string
240

241
    LEASHPRESERVEKINITOPTIONS
242
	Setting: Preserve ticket initialization dialog options
243
	Values : numeric
244

245
2.1.4  Kerberos 5 properties
246

247
    KRB5CONFIG
248
	Setting: location of krb5.ini
249
	Values : string
250

251
    KRB5CCNAME
252
	Setting: Default credentials cache name
253
	Values : string
254

255
    KRB5PRESERVEIDENTITY
256
	Setting: MSLSA: credential cache client principal identity generation
257
	Values : '0' or '1'
258

259
2.2 Existing Registry Entries
260

261
    You can change existing registry values subject to the
262
    restrictions mentioned in the Windows Platform SDK.  Pay special
263
    attention to component keypaths and try to only change the 'Value'
264
    column in the 'Registry' table.  If you want to add additional
265
    registry keys please refer to section 3 (Additional Resources).
266

267
2.3 Replacing Configuration Files
268

269
    The Kerberos configuration files (krb5.ini, krb.con, krbrealm.con)
270
    can be replaced by your own configuration files.  These files are
271
    contained in separate MSI components so that you can disable them
272
    individually.
273

274
    The recommended method for replacing these files is to first
275
    disable the components containing the configuration files that you
276
    want to replace, and then add new components for the replacement
277
    files.  This is outlined below (assuming you are using ORCA.EXE to
278
    author the transform).
279

280
    Note that transforms are not a good way to add a new file as an
281
    embedded stream.  The method outlined here places the file in the
282
    same directory as the MSI for deployment.
283

284
    The walkthrough below is to add a custom 'krb5.ini' file.
285

286
    1) Disable the component that contains the configuration file that
287
       you want to replace.
288

289
       1.1) Locate and select the 'Component' table in the 'Tables'
290
            list.
291

292
       1.2) In the Component table, locate the component you need to
293
            change ( Ctrl-F invokes the 'Find' dialog).  The component
294
            names are listed below in section 2.3.1.  For this
295
            example, the component name is 'cmf_krb5_ini'.
296

297
       1.3) Go to the 'Condition' column of the component.
298

299
       1.4) Enter a condition that evaluates to
300
            false. I.e. 'DONOTINSTALL'. (Note that an undefined
301
            property always evaluates to false).
302

303
       Note that you can also use this step to disable other
304
       configuration files without providing replacements.
305

306
    2) Add a new component containing the new configuration file.
307

308
       2.1) Select the 'Component' table in the 'Tables' list.
309

310
       2.2) Select 'Tables'->'Add Row' (Ctrl-R).
311

312
       2.3) Enter the following :
313

314
            Component     : cmf_my_krb5_ini
315
	    ComponentId   : {835BAAC6-5E54-BFFE-DBCB2F240711}
316
	    Directory_	  : WindowsFolder
317
	    Attributes	  : 144
318
	    Condition	  :
319
	    KeyPath	  : fil_my_krb5_ini
320

321
	    Note that the ComponentId is an uppercase GUID.  You can
322
	    generate one using GUIDGEN.EXE or UUIDGEN.EXE, both of
323
	    which are included in the Platform SDK.
324

325
	    The Attributes value of 144 is a sum of
326
	    msidbComponentAttributesPermanent (16) and
327
	    msidbComponentAttributesNeverOverwrite (128).  This
328
	    ensures that local modifications are not overwritten or
329
	    lost during an installation or uninstallation.  These are
330
	    the same settings used on the default configuration files.
331

332
	    'fil_my_krb5_ini' is a key into the 'File' table which we
333
	    will fill later.
334

335
    3) Add a new feature to hold the new component.
336

337
       3.1) Select the 'Feature' table.
338

339
       3.2) Add a new row (Ctrl-R or 'Tables'->'Add Row') with the
340
            following values:
341

342
	    Feature       : fea_my_krb5_ini
343
	    Feature_Parent: feaKfwClient
344
	    Title	  :
345
	    Description	  :
346
	    Display	  : 0
347
	    Level	  : 30
348
	    Directory_	  :
349
	    Attributes	  : 8
350

351
	    It is important to create the new feature under the
352
	    'feaKfwClient' feature, which will ensure that the
353
	    configuration file will be installed when the client
354
	    binaries are installed.
355

356
	    Setting 'Display' to 0 will hide this feature from the
357
	    feature selection dialog during an interactive
358
	    installation.  A value of 30 for 'Level' allows this
359
	    feature to be installed by default (on a 'Typical'
360
	    installation).
361

362
	    The 'Attributes' value is
363
	    msidbFeatureAttributesDisallowAdvertise (8), which is set
364
	    on all features in the KfW MSI.  The KfW MSI is not
365
	    designed for an advertised installation.
366

367
    4) Join the component and the feature.
368

369
       4.1) Select the 'FeatureComponents' table.
370

371
       4.2) Add a new row with the following values:
372

373
	    Feature    : fea_my_krb5_ini
374
	    Component  : cmf_my_krb5_ini
375

376
    5) Add an entry to the 'File' table.
377

378
       5.1) Select the 'File' table.
379

380
       5.2) Add a new row with the following values:
381

382
	    File        : fil_my_krb5_ini
383
	    Component_	: cmf_my_krb5_ini
384
	    FileName	: krb5.ini
385
	    FileSize	: (enter file size here)
386
	    ...
387
	    Attributes	: 8192
388
	    Sequence	: 1000
389
	    (leave other fields blank)
390

391
	    The 'Attributes' value is msidbFileAttributesNonCompressed
392
	    (8192).  This is because we will be placing this file in
393
	    the same directory as the MSI instead of embedding the
394
	    file in it.  Transforms do not support updating compressed
395
	    sources or adding new cabinet streams.
396

397
	    Finally, the 'Sequence' value of 1000 will be used later
398
	    to distinguish the file as being in a separate source
399
	    location than the other files in the MSI.
400

401
    6) Set a media source for the file.
402

403
       6.1) Select the 'Media' table.
404

405
       6.2) Add a row with the following values :
406

407
	    DiskId       : 2
408
	    LastSequence : 1000
409
	    ...
410
	    (leave other fields blank)
411

412
	    The sequence number of 1000 designates this as the media
413
	    source for the newly added file.
414

415
2.3.1 Components for Configuration Files
416

417
      krb5.ini : 'cmf_krb5_ini' (ID {C1AF0670-BBF1-4AA6-B2A6-6C8B1584A1F4})
418
      krb.con  : 'cmf_krb_con'  (ID {5391A051-CF14-45FF-BF64-CEE78A7A90C2})
419
      krbrealm.con: 'cmf_krbrealm_con' (ID {D667B54F-1C98-43FB-87C6-0F0517623B90})
420

421
----------------------------------------------------------------------
422

423
3.   Network Identity Manager Settings
424

425
    Configuration options for Network Identity Manager (NetIDMgr) are
426
    stored in the Windows registry.  Each option can exist in the user
427
    registry hive or the machine registry hive or both.  The value
428
    defined in the user hive always overrides the value defined in the
429
    machine registry hive.
430

431
    All registry keys used by NetIDMgr exist under the key
432
    'Software\MIT\NetIDMgr' under the user and machine hive.
433
    Deploying a specific configuration option can be achieved by
434
    setting the corresponding registry value either by authoring the
435
    keys into the MSI via a transform or by deploying a registry based
436
    Group Policy Object.  For deployment purposes, it is advisable to
437
    deploy values to the machine hive instead of the user hive.
438
    Deploying per user settings via the MSI is not supported at this
439
    time.
440

441
3.1    Common settings for NetIDMgr
442

443
    The following sections describe a partial list of options that can
444
    be specified for NetIDMgr.  Each set of options is described as a
445
    set of registry values.  Each section is preceded by the registry
446
    key under which the values of that section must be specified.
447

448
3.1.1    General settings
449

450
    Registry key : 'Software\MIT\NetIDMgr\CredWindow'
451
    --------------
452

453
    Value   : AllowAutoRenew
454
    Type    : DWORD (Boolean)
455
    Default : 1
456

457
        Enables automatic credential renewal.
458

459

460
    Value   : AllowCritical
461
    Type    : DWORD (Boolean)
462
    Default : 1	
463

464
        Enables critical warning notifications.
465

466

467
    Value   : AllowWarn	
468
    Type    : DWORD (Boolean)
469
    Default : 1	
470

471
        Enables warning notifications.
472

473

474
    Value   : AutoDetectNet
475
    Type    : DWORD  (0 or 1)
476
    Default : 1
477

478
        If '1', automatically detects network connectivity changes.
479
        Network connectivity change notifications are then sent out to
480
        individual plug-ins which can perform actions such as renewing
481
        credentials or obtaining new credentials.
482

483

484
    Value   : AutoImport
485
    Type    : DWORD  (0 or 1)
486
    Default : 1
487

488
        If '1', imports credentials from the Windows LSA cache when
489
        NetIDMgr starts.
490

491

492
    Value   : AutoInit
493
    Type    : DWORD  (0 or 1)
494
    Default : 0
495

496
        If this value is '1', shows the new credentials dialog if
497
        there are no credentials when NetIDMgr starts.
498

499

500
    Value   : AutoStart	
501
    Type    : DWORD (0 or 1)
502
    Default : 0	
503

504
        Start NetIDMgr when Windows starts
505

506

507
    Value   : AutoRenewThreshold
508
    Type    : DWORD (seconds)
509
    Default : 600
510

511
        Specifies the time period before credential expiration that will
512
        trigger a credential renewal.  Requires AllowAutoRenew to be enabled.
513

514

515
    Value   : CriticalThreshold	
516
    Type    : DWORD (seconds)
517
    Default : 300
518

519
        Specifies the time period before credential expiration that will
520
        trigger the second and final warning balloon.  Requires AllowCritical
521
        to be enabled.
522
        
523

524
    Value   : DefaultAllowAutoRenew
525
    Type    : DWORD (Boolean)
526
    Default : 1
527

528
	Specifies the Default AllowAutoRenew value for new identities.
529

530

531
    Value   : DefaultSticky
532
    Type    : DWORD  (0 or 1)
533
    Default : 1
534

535
        If '0', new identities will not be pinned to the display by default.
536
        If '1', new identities will be pinned to the display by default.
537

538

539
    Value   : DefaultWindowMode
540
    Type    : DWORD  (0 or 1)
541
    Default : 1
542

543
        If '0', Advanced mode is used
544
        If '1', Basic mode is used
545

546
    Value   : DestroyCredsOnExit
547
    Type    : DWORD  (0 or 1)
548
    Default : 0
549

550
        If '1', all credentials will be destroyed when NetIDMgr exits.
551

552
    Value   : KeepRunning
553
    Type    : DWORD  (0 or 1)
554
    Default : 1
555

556
        If '1', when NetIDMgr application is closed, it will continue
557
        to run in the Windows System Notification Area (System Tray).
558
        The application can be exited by choosing the 'Exit' menu
559
        option.  If '0', closing the application will cause it to
560
        exit completely.
561

562
    Value   : LogToFile
563
    Type    : DWORD  (0 or 1)
564
    Default : 0
565

566
        If '1', debugging information is logged to %TEMP%\nidmdbg.log
567

568

569
    Value   : NotificationAction
570
    Type    : DWORD  (50008 or 50025)
571
    Default : 50025
572

573
        If '50025', the default notification icon menu action will be to
574
        Show the Network Identity Manager application windows.
575
        If '50008', the default notification icon menu action will be to 
576
        display the Obtain New Credentials dialog.
577

578

579
    Value   : RefreshTimeout	
580
    Type    : DWORD (seconds)
581
    Default : 60
582

583
        Specifies how often the credential list is refreshed.
584

585

586
    Value   : RenewAtHalfLife
587
    Type    : DWORD (Boolean)
588
    Default : 1
589

590
	Enables the use of a half-life algorithm for credential renewals.
591

592

593
    Value   : WarnThreshold
594
    Type    : DWORD (seconds)
595
    Default : 900
596

597
        Specifies the time period before credential expiration that will
598
        trigger the first warning balloon.  Requires AllowWarn to be enabled.
599

600

601
3.1.2    Common Plug-in settings
602

603
    Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\<plug-in name>'
604
    --------------
605

606
    The '<plug-in name>' is one of the following for the standard plug-ins :
607

608
    Krb5Cred : Kerberos 5 credentials provider
609
    Krb5Ident: Kerberos 5 Identity provider
610

611
    Consult the vendors for the plug-in names of other third party
612
    plug-ins.  Additionally, the plug-ins configuration panel in the
613
    NetIDMgr application provides a list of currently registered
614
    plug-ins.
615

616
    Value   : Disabled
617
    Type    : DWORD (0 or 1)
618
    Default : 0
619

620
        If '1', the plug-in will not be loaded.
621

622
    Value   : NoUnload
623
    Type    : DWORD (0 or 1)
624
    Default : 0
625

626
        If '1', the plug-in will not be unloaded from memory when the
627
        NetIDMgr application exits or if the plug-in is stopped.  The
628
        plug-in binary will remain loaded until NetIDMgr terminates.
629

630
3.1.3    Settings for the Kerberos 5 credentials provider plug-in
631

632
    Registry key : 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
633
    --------------
634

635
    Value   : AutoRenewTickets
636
    Type    : DWORD (0 or 1)
637
    Default : 1
638

639
        If '1', automatically renews expiring tickets.  The thresholds
640
        at which renewals happen are controlled in general NetIDMgr
641
        settings.
642

643
    Value   : CreateMissingConfig
644
    Type    : DWORD (0 or 1)
645
    Default : 0
646

647
        If '1', creates any missing configuration files.
648

649
    Value   : MsLsaList
650
    Type    : DWORD (0 or 1)
651
    Default : 1
652

653
        If '1', includes credentials from the MSLSA cache in the
654
        credentials listing.
655

656

657
    Value   : UseFullRealmList
658
    Type    : DWORD (0 or 1)
659
    Default : 0
660

661
        If '1', uses the full realms list as determined by parsing the
662
        krb5.ini configuration file in the new credentials dialog box.
663
        If this is '0', only the last recently used list of realms
664
        will be used.
665

666

667
3.1.3.1    Per-identity settings
668

669
    Registry key 1: 'Software\MIT\NetIDMgr\KCDB\Identity\<principal name>\Krb5Cred'
670
    Registry key 2: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters\Realms\<realm>'
671
    Registry key 3: 'Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters'
672
    --------------
673

674
    These settings are generally maintained per-identity.  However, if
675
    a particular setting is not specified for an identity or if the
676
    identity is new, then the values will be looked up in the
677
    per-realm configuration key and in the global parameters key in
678
    turn.  Global defaults should be set in the global parameters key
679
    (key 3).
680

681
    Value   : Addressless
682
    Type    : DWORD (boolean)
683
    Default : 1
684

685
        Determines if addressless tickets will be obtained for new identities.
686

687

688
    Value   : DefaultLifetime
689
    Type    : DWORD
690
    Default : 36000
691

692
        Default ticket lifetime, in seconds.
693

694
    Value   : DefaultRenewLifetime
695
    Type    : DWORD
696
    Default : 604800
697

698
        Default renewable lifetime, in seconds.
699

700
    Value   : FileCCList
701
    Type    : SZ
702
    Default : <not specified>
703

704
        Specifies a comma delimited list of FILE credential caches to monitor
705
        for credentials.
706

707
    Value   : Forwardable
708
    Type    : DWORD (0 or 1)
709
    Default : 0
710

711
        Obtain forwardable tickets.
712

713
    Value   : MaxLifetime
714
    Type    : DWORD
715
    Default : 86400
716

717
        Maximum lifetime, in seconds.  This value is used to set the
718
        range of the user interface controls that allow setting the
719
        lifetime of a ticket.
720

721
    Value   : MaxRenewLifetime
722
    Type    : DWORD
723
    Default : 2592000
724

725
        Maximum renewable lifetime, in seconds.  The value is used to
726
        set the range of the user interface controls that allow
727
        setting the renewable lifetime of a ticket.
728

729
    Value   : MinLifetime
730
    Type    : DWORD
731
    Default : 60
732

733
        Minimum lifetime, in seconds.  This value is used to set the
734
        range of the user interface controls that allow setting the
735
        lifetime of a ticket.
736

737
    Value   : MinRenewLifetime
738
    Type    : DWORD
739
    Default : 60
740

741
        Minimum renewable lifetime, in seconds.  This value is used to
742
        set the range of the user interface controls that allow
743
        setting the renewable lifetime of a ticket.
744

745
    Value   : Proxiable
746
    Type    : DWORD (0 or 1)
747
    Default : 0
748

749
        Obtain proxiable tickets.
750

751
    Value   : Renewable
752
    Type    : DWORD (0 or 1)
753
    Default : 1
754

755
        Obtain renewable tickets.
756

757

758
----------------------------------------------------------------------
759

760
4.   Additional Resources
761

762
    If you want to add registry keys or files you need to create new
763
    components and features for those.
764

765
    Add new features under the 'feaKfwClient' feature and set the
766
    'Level' column for those features to equal the 'Level' for their
767
    parent features for consistency.  Note that none of the features
768
    in the "Kerberos for Windows" MSI package are designed to be
769
    installed to run from 'source' or 'advertised'.  It is recommended
770
    that you set 'msidbFeatureAttributesFavorLocal' (0),
771
    'msidbFeatureAttributesFollowParent' (2) and
772
    'msidbFeatureAttributesDisallowAdvertise' (8) attributes for new
773
    features.
774

775
    If you are creating new components, retain the same component GUID
776
    when creating new transforms against new releases of the Kerberos
777
    MSI package.
778

779
    It is beyond the scope of this document to provide a comprehensive
780
    overview of how to add new resources through a transform.  Please
781
    refer to the "Windows Installer" documentation for details.  The
782
    relevant section is at :
783

784
    http://msdn.microsoft.com/library/en-us/msi/setup/using_transforms_to_add_resources.asp
785

786
    A sample walkthrough of adding a new configuration file is in
787
    section 2.3.
788

789
----------------------------------------------------------------------
790

791
5.  Upgrades
792

793
    The MSI package is designed to uninstall previous versions of
794
    "Kerberos for Windows" during installation.  Note that it doesn't
795
    directly upgrade an existing installation.  This is intentional
796
    and ensures that development releases which do not have strictly
797
    increasing version numbers are properly upgraded.
798

799
    Versions of Kerberos that are upgraded by the MSI package are :
800

801
    1) "Kerberos for Windows" 32-bit i386 MSI package
802

803
       Upgrade code {61211594-AAA1-4A98-A299-757326763CC7}
804
       Up to current release
805

806
    2) "Kerberos for Windows" 64-bit amd64 MSI package
807

808
       Upgrade code {6DA9CD86-6028-4852-8C94-452CAC229244}
809
       Up to current release
810

811
    2) "MIT Project Pismere Kerberos for Windows" MSI package and 
812
       "MIT SWRT Kerberos for Windows" MSI
813

814
       Upgrade code {83977767-388D-4DF8-BB08-3BF2401635BD}
815
       All versions
816

817
    3) "Kerberos for Windows" NSIS package
818

819
       All versions
820

821
       Note that versions of the "Kerberos for Windows" NSIS package had
822
       a bug where it couldn't be uninstalled properly in unattended
823
       mode.  Therefore the MSI package will not try to uninstall an
824
       "Kerberos for Windows" NSIS package if running unattended.  This
825
       means that group policy based deployments will fail on machines
826
       that have the "Kerberos for Windows" NSIS package installed.
827

828
    If you have used a different MSI package to install Kerberos for
829
    Windows and wish to upgrade it you can author rows into the
830
    'Upgrade' table to have the "Kerberos for Windows" MSI replace these
831
    installations for you.
832

833
----------------------------------------------------------------------
834

835
6.  FAQ
836

837
    (Q/A's will be added here as needed)
838

839
----------------------------------------------------------------------
840
$Id$
841

842

843
Product

Resources

Company
