Installing Kerberos For Windows 3.2.x


  • As of this comment (10 Dec 2012) MIT has released MIT Kerberos for Windows 4.x. This release of Kerberos does not contain an AFS plugin, and therefore will not automatically obtain AFS tokens. We are currently not recommending the installation or use of MIT Kerberos for Windows 4 until proper AFS support.

Kerberos Installation Instructions:


The contents of this .zip file contains a custom CSAIL kfw-3-2-x.msi package, as well as custom CSAIL:
  • krb5.ini
  • krb.con
  • krbrealm.con

The custom .msi package is intended for CSAIL members wishing to install Network Identity Manager with the proper CSAIL environment and realm variables set. Running the .msi will install Kerberos for Windows (Network Identity Manager) as well as copying krb5.ini, krb.con, krbrealm.con to your c:\%systemroot% (usually c:\windows) directory. If you have a previous version of KfW? installed, it will not overwrite the existing copying krb5.ini, krb.con, krbrealm.con files.


  • Before installation, it is necessary you uninstall any previous KfW? versions.
  • Unzip the package
  • Run the kfw-3-2-x.msi installer(s)
    • For 64-bit Windows operating systems, first install 64-bit Kerberos. Then install 32-bit Kerberos on top of 64-bit Kerberos, only after verifying that 64-bit Kerberos is working.
  • Click next, accept the License Agreement, click next.
  • Choose 'Typical' for Setup Type, click install, click finish.


  • Launch the Network Identity Manager
-->Start-->Programs-->Kerberos for Windows-->Network Identity Manager

  • Click on the 'Obtain New Credentials' button highlighted below


  • Enter you CSAIL username, choose CSAIL.MIT.EDU as your domain, and password. When you have successfully entered your username and password, Network Identity Manager will automatically create a new identity for you (unless you have one already.)


Using Kerberos with SSH

Both PuTTY and SecureCRT can be used for connecting to CSAIL Debian? hosts without passwords. Kerberos tickets allow passwordless logins, and assuming ticket delegation is turned on, also allow access to AFS files once logged in. PuTTY is recommended as a leaner, freer, and more reliable alternative, while SecureCRT has convenient integrated graphical file transfer.

For PuTTY, v.0.61 or later, create a Saved Session with CSAIL-specific settings. In PuTTY Configuration:
  1. Connection -> SSH -> Auth -> GSSAPI, set "Allow GSSAPI credential delegation" to YES
  2. in Connection -> Data, set "Auto-login username" to your CSAIL username
  3. in Session, leave Host Name blank and use csail as the session name under "Saved Settings"
  4. Click "Save"
To connect manually, click csail and Load, then enter a Host Name like and click Open.

PuTTY is officially available only in 32-bit form. For 64-bit versions of Windows?, this means you will need to have both 64-bit and 32-bit versions of Kerberos installed. See the top of this page.

For SecureCRT:
  • In either "Quick Connect" or Connection Properties -> SSH2, move GSSAPI to be the top item in the "Authentication" list.
  • If Kerberos allows you to connect but you can't see/edit AFS files and the output of klist starts with "No credentials cache found", make sure that in the "Authentication" list, GSSAPI -> Properties -> Delegation is set to "Full"
  • For automated connections like svn, use SecureCRT 5.1's vsh.exe. It may need a one-line batch file wrapper: @VSH.EXE -kex Kerberos %*
WARNING: There is a poorly understood issue preventing delegation from completing successfully using SecureCRT on some Windows installations. Please run klist after connecting to confirm that tickets made it to the remote system; if not, try PuTTY or email help@csail.

General tips:
  • Make sure you have non-expired Kerberos tickets before connecting (check using Network Identity Manager).
  • If you want to use CSAIL Kerberos tickets to connect to ATHENA hosts (or vice versa), see CrossCellHowto#Using_SSH_cross_realm

MIT Kerberos and OpenAFS for Windows issues

When getting Kerberos tickets using MIT Kerberos Leash Manager you get error saying "Ticket Initialization failed. Clock skew too great"

This error is usually due to large difference between the time stamp stored in your kerberos ticket and the network servers on the internet. The difference can be as small as three minutes in order to cause trouble. You need to change your computer's clock settings to reflect the actual time on the network time servers. Before changing the time shutdown all applications that require kerberos tickets. We also recommend to synchronize time to using Leash Manager.

Topic revision: 22 May 2018, JasonDorfman

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology