Kerberos cannot resolve netapi32.dll in CE5.0 after QFE updates

If you install the recent CE 5.0 QFE’s AND try to build Kerberos.dll, you will run into a bug that unfortunately was introduced in this QFE.  Check out customer thread alerting us to it here.

Short summary is that customer is seeing:

“Warning: Unable to do imports from kerberos.dll to NETAPI32.dll – will late bind”

Root cause:

To fix a problem with how Kerberos resolves domain names (basically turning REDMOND domain into a DC controller, Kerberos was changed to call into the official NetApi32 DsGetDcName instead of using a private interface.  This meant that kerberos has a dependency on Netapi32.dll being in the image which previously it did not.  Customers never think about dependency logic (or hardly ever) because Microsoft runs a large suite of tests to make sure that if component A relies on component B being in the image it explicitly sets it (Kerberos needing Netapi32 in this case) and we fix these issues before releasing the product.

In this case, because it was a QFE we don’t usually add dependencies like this, so we didn’t catch the dependency prior to QFE release.

The customer workaround is straightforward.  Basically set SYSGEN_NETAPI32=1 (I’m not sure what exactly this translates to in the IDE catalog, probably something like “Domain Discovery”).  You only need to do this if you include Kerberos component, which most devices do not.  As near as I can tell, the only way you get kerberos is of course if you manually include it, or if you bring in the voipPhone local authentication plugin (SYSGEN_VOIPPHONE_LAP).

We apologize for the inconvenience.  We’re going to be releasing the same QFE effectively in CE6.0 and we will fixup the dependencies prior to releasing that QFE.


Comments (0)