Hello wonderful Kerberos people, I'd like to request a new format/support for keytabs to be stored in the Windows Registry. This would enable me to use Group Policy to push specific registry keys (and therefore keytabs) to groups of machines that need to share a specific key, either a cluster of machines serving web pages (HTTP/clustername) or some similar function. It will also allow me to push a dummy keytab simply to validate that the KDC itself isn't being spoofed or perhaps for some type of authenticated DNS or LDAP look-ups that need to be performed by the SYSTEM account. In some instances, admins may want to use Group Policy to permanently assign a keytab to a group of machines in this way. If the machine ever gets reinstalled, the keytab will be automatically re-applied to the machine via Group Policy once the computer is joined to the domain. This would completely eliminate the need to keep track of versions and distribution of actual keytab files in addition to allowing the keytab for an entire cluster of machines to be changed all at once. No older versions around messing things up. I believe that OpenAFS for Windows will soon have support for authenticated anonymous access to a cell and this same procedure can be used to distribute a keytab that the OpenAFS client could use for anonymous authentication. Having all anonymous connections authenticated allows for encryption and the ability to get rid of IP-based ACLs. This is very useful for things like software distribution using GPO or other methods that require the SYSTEM account to read data out of AFS. <