The OpenAFS distribution ships with its own implementation of Kerberos v4 and although it is Kerberos v5 capable, it relies on third-party Kerberos v5 libraries. The OpenAFS 1.4 series (and later) integrates with Heimdal or MIT Kerberos for Windows 2.6.5 and above. OpenAFS Kerberos v5 capable functionality includes integrated logon, the AFS Authentication Tool, the Network Identity Manager AFS provider, and the aklog command. These tools provide support for Kerberos v5 authentication including acquisition and automatic renewal of AFS tokens as well as support for single sign-on via the Microsoft Windows Kerberos Logon Service.
The recommended versions of Heimdal and MIT Kerberos for Windows are distributed by Secure Endpoints Inc.. As of this writing, the Secure Endpoints Inc. distribution provides 64-bit Windows support which is unavailable from MIT. KFW 3.2.2 includes Network Identity Manager 1.3.1 which integrates with the AFS Provider installed as part of OpenAFS for Windows. The most recent version of Network Identity Manager is version 2.1 which is available as an independent upgrade to MIT Kerberos for Windows. Heimdal does not include a version of Network Identity Manager.
With Heimdal or Kerberos for Windows installed, the OpenAFS for Windows client can perform authentication to AFS services using Kerberos v5 service tickets as AFS tokens. When a Kerberos v5 derived AFS token is used, all of the AFS Volume Location and File Servers within the authenticated cell must support Kerberos v5. If a Kerberos v5 based token is presented to an AFS server that does not support them, the server will be unable to respond to the client. Attempts to access AFS volumes stored on such a server will fail with the Windows STATUS_NO_KERB_KEY (0xC0000322L) error. Kerberos v5 based tokens are supported by OpenAFS revisions 1.2.8 or later. IBM AFS 3.6 servers do not support Kerberos v5.