130 likes | 254 Views
W2K and Kerberos at FNAL. Jack Schmidt schmidt@fnal.gov Mark Kaletka kaletka@fnal.gov. Background. Please wait for Dane Skow’s talk for Fermilab strong authentication details. Fermilab’s goal: Site-wide strong authentication by Dec. 31; Based on Kerberos 5;
E N D
W2K and Kerberos at FNAL Jack Schmidt schmidt@fnal.gov Mark Kaletka kaletka@fnal.gov
Background • Please wait for Dane Skow’s talk for Fermilab strong authentication details. • Fermilab’s goal: • Site-wide strong authentication by Dec. 31; • Based on Kerberos 5; • Impacts on Windows 2000 migration?
Goals • Provide single password for all users. • Use only Kerberos for user authentication and resource access in W2K domain. • Use existing Unix MIT KDC for user authentication. • MIT KDC in pilot use for 2 years. • About to go into production. • Desktops and servers must be able to contact secondary MIT KDCs and W2K DCs. • E.g. CDF systems need to communicate with CDF KDC and DC.
Using the MIT KDC w/ W2K • Use MIT KDC for user authentication. • W2K KDC provides service tickets. • Microsoft documents how to do this: • “Step-by-Step Guide to Kerberos 5 Interoperability”
Using the MIT KDC w/ W2K: General Approach • Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s. • Transitive trusts need to be established for all down-level W2K DC’s. • Principals must be mapped to W2K account. • Clients need to be modified (registry) to contact correct remote KDC for quicker log in.
Using the MIT KDC w/ W2K: Technical Details MMC = Microsoft Management Console thru Administration of Domains & Trusts snapin • Establish trust between MIT and W2K domains: • Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC); • Establish MIT KDC trust on W2K DC (MMC snapin) • Complete trust on MIT KDC; • Create transitive trust on the W2K KC using netdom command line tool; • Create user accounts on W2K DC: • Map user principal to W2K user account; • Add realm entry to workstations: • Modify W2K workstations to access the MIT KDC for log in (reboot workstation); Transitive trust is used to talk to downlevel DC’s, e.g. in child domains.
Using the MIT KDC w/ W2K: Technical Issues • Workstations must have the kerberos realm added or users will not be able to login. • A security template can be used in the W2K domain. • A transitive trust must be established or users in child domains will not be authenticated via kerberos • Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC).
Using the MIT KDC w/ W2K: Technical Issues • The ksetup tool is not found in the W2K resource kit as documented. • It is in the W2K server support/tools folder. • The realm name is case sensitive and should be uppercase. • W2K workstations must be at SP1 for this to work!
Using the MIT KDC w/ W2K: Compatibility Issues • Patches and upgrades: • W2K systems must be at SP1; MIT KDC at v1.2. • Will future upgrades break things? • Passwords: • Presently W2K users can not set passwords on MIT KDC. • Fixed with an upgrade of the MIT KDC? • Synchronizing MIT principals and W2K accounts: • Long term solution – central accounts database, but no short term…
W2K Issues • NTLM authentication: • NTLM authentication is used by systems not part of the W2K domain. • Also, many applications use NTLM. • This is an issue even with a W2K KDC. • IIS & Exchange Kerberos authentication: • Requires Microsoft Kerberos implementation? • Or at least not well documented.
Where we’re headed… • Fermilab W2K Migration Group recommends: • use the Microsoft Kerberos implementation. • Operate MIT KDC and W2K DC in parallel (“ships in the night”). • allow NTLMv2 authentication. • A completely Kerberized W2K domain would prevent users from performing their work!
Tools • Kerbtray (resource kit) • GUI tool that displays Kerberos ticket information. • Kpasswd (resource kit) • Does the obvious thing… • Klist (resource kit) • Command-line tool to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool.) • Netdom (support tools) • Command-line tool used to establish trusts, reset Kerberos passwords.
Tools • Event log entries (useful for debugging): • 672: Krbtgt • 680: NTLM • 540: (Computer) network logon via Kerberos • 673: Service tickets granted