Registry Settings

Following the conventions used by Network Identity Manager, the settings for the KCA provider are maintained in the user and machine registry hives. The layout of the settings is identical in both the user and machine hives. User settings override machine settings.

When obtaining credentials for an identity, the settings are looked-up from the following locations (in order):

For example, if credentials are being obtained for the Kerberos principal user@EXAMPLE.COM, locations that settings will be searched for are :

Global settings

Location :
(user)HKCU\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters
(machine)HKLM\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters

This location contains the settings that control the overall behavior of the provider. These settings will be applied to any identity for which there is no per-identity or applicable per-realm configuration settings.

Values

KCAEnabled (DWORD)

Boolean value. Obtains KCA certificates if non-zero. If no certificates are specified for an identity, then the plug-in will attempt to obtain a certificate for the identity realm.

Per-realm settings

Per-realm settings are chosen based on the realm of the identity principal. They are only effective if no per-identity settings are specified.

Location:
(user)HKCU\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters\Realms\<realm>
(machine)HKLM\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters\Realms\<realm>

Values

KCAEnabled (DWORD)

Boolean value. If non-zero, obtains credentials for this realm.

NCerts (DWORD)

An integer. Specifies the number of certificates that must be obtained for this realm.

Cert_n (String)

Certificate number n, where n ranges from 0 to (NCerts - 1). Each specified string will be of the following format:

realm=<realm>,hosts=<hosts>

Note that only one certificate can be specified for a given realm. If more than one string specifies certificates for given realm, then only the first setting will be effective.

The special tokens ([Identity] and [Automatic] are case sensitive.

E.g.:

NCerts: 2

Cert_0: realm=[Identity],hosts=[Automatic]

Cert_1: realm=EXAMPLE.COM,hosts=kca1.example.com kca2.example.com kca3.example.com

The set of registry values above declare two KCA certificates. The first certificate is for the realm of the identity. The KCA hosts will be determined automatically. The second certificate is for the realm EXAMPLE.COM. The certificate will be obtained using the KCA hosts kca1.example.com,kca2.example.com and kca3.example.com.

Per-identity settings

Location: (identity-specific)
(user)HKCU\Software\MIT\NetIDMgr\KCDB\Identity\<identity name>\KCACert

Location: (defaults for all identities)
(user)HKCU\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters
(machine)HKLM\SOFTWARE\MIT\NetIDMgr\PluginManager\Plugins\KCACred\Parameters

Values

KCAEnabled (DWORD)

Boolean value. If non-zero, obtains credentials for this identity.

NCerts (DWORD)

An integer. Specifies the number of certificates that must be obtained for this realm.

Cert_n (String)

Certificate number n, where n ranges from 0 to (NCerts - 1). Each specified string will be of the following format:

realm=<realm>,hosts=<hosts>

Note that only one certificate can be specified for a given realm. If more than one string specifies certificates for given realm, then only the first setting will be effective.

The special tokens ([Identity] and [Automatic] are case sensitive.

E.g.:

NCerts: 2

Cert_0: realm=[Identity],hosts=[Automatic]

Cert_1: realm=EXAMPLE.COM,hosts=kca1.example.com kca2.example.com kca3.example.com

The set of registry values above declare two KCA certificates. The first certificate is for the realm of the identity. The KCA hosts will be determined automatically. The second certificate is for the realm EXAMPLE.COM. The certificate will be obtained using the KCA hosts kca1.example.com,kca2.example.com and kca3.example.com.