1 / 13

W2K and Kerberos at FNAL

W2K and Kerberos at FNAL. Jack Schmidt schmidt@fnal.gov Mark Kaletka kaletka@fnal.gov. Background. Please wait for Dane Skow’s talk for Fermilab strong authentication details. Fermilab’s goal: Site-wide strong authentication by Dec. 31; Based on Kerberos 5;

boyd
Download Presentation

W2K and Kerberos at FNAL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. W2K and Kerberos at FNAL Jack Schmidt schmidt@fnal.gov Mark Kaletka kaletka@fnal.gov

  2. Background • Please wait for Dane Skow’s talk for Fermilab strong authentication details. • Fermilab’s goal: • Site-wide strong authentication by Dec. 31; • Based on Kerberos 5; • Impacts on Windows 2000 migration?

  3. Goals • Provide single password for all users. • Use only Kerberos for user authentication and resource access in W2K domain. • Use existing Unix MIT KDC for user authentication. • MIT KDC in pilot use for 2 years. • About to go into production. • Desktops and servers must be able to contact secondary MIT KDCs and W2K DCs. • E.g. CDF systems need to communicate with CDF KDC and DC.

  4. Using the MIT KDC w/ W2K • Use MIT KDC for user authentication. • W2K KDC provides service tickets. • Microsoft documents how to do this: • “Step-by-Step Guide to Kerberos 5 Interoperability”

  5. Using the MIT KDC w/ W2K: General Approach • Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s. • Transitive trusts need to be established for all down-level W2K DC’s. • Principals must be mapped to W2K account. • Clients need to be modified (registry) to contact correct remote KDC for quicker log in.

  6. Using the MIT KDC w/ W2K: Technical Details MMC = Microsoft Management Console thru Administration of Domains & Trusts snapin • Establish trust between MIT and W2K domains: • Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC); • Establish MIT KDC trust on W2K DC (MMC snapin) • Complete trust on MIT KDC; • Create transitive trust on the W2K KC using netdom command line tool; • Create user accounts on W2K DC: • Map user principal to W2K user account; • Add realm entry to workstations: • Modify W2K workstations to access the MIT KDC for log in (reboot workstation); Transitive trust is used to talk to downlevel DC’s, e.g. in child domains.

  7. Using the MIT KDC w/ W2K: Technical Issues • Workstations must have the kerberos realm added or users will not be able to login. • A security template can be used in the W2K domain. • A transitive trust must be established or users in child domains will not be authenticated via kerberos • Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC).

  8. Using the MIT KDC w/ W2K: Technical Issues • The ksetup tool is not found in the W2K resource kit as documented. • It is in the W2K server support/tools folder. • The realm name is case sensitive and should be uppercase. • W2K workstations must be at SP1 for this to work!

  9. Using the MIT KDC w/ W2K: Compatibility Issues • Patches and upgrades: • W2K systems must be at SP1; MIT KDC at v1.2. • Will future upgrades break things? • Passwords: • Presently W2K users can not set passwords on MIT KDC. • Fixed with an upgrade of the MIT KDC? • Synchronizing MIT principals and W2K accounts: • Long term solution – central accounts database, but no short term…

  10. W2K Issues • NTLM authentication: • NTLM authentication is used by systems not part of the W2K domain. • Also, many applications use NTLM. • This is an issue even with a W2K KDC. • IIS & Exchange Kerberos authentication: • Requires Microsoft Kerberos implementation? • Or at least not well documented.

  11. Where we’re headed… • Fermilab W2K Migration Group recommends: • use the Microsoft Kerberos implementation. • Operate MIT KDC and W2K DC in parallel (“ships in the night”). • allow NTLMv2 authentication. • A completely Kerberized W2K domain would prevent users from performing their work!

  12. Tools • Kerbtray (resource kit) • GUI tool that displays Kerberos ticket information. • Kpasswd (resource kit) • Does the obvious thing… • Klist (resource kit) • Command-line tool to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool.) • Netdom (support tools) • Command-line tool used to establish trusts, reset Kerberos passwords.

  13. Tools • Event log entries (useful for debugging): • 672: Krbtgt • 680: NTLM • 540: (Computer) network logon via Kerberos • 673: Service tickets granted

More Related