1 / 34

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Admin

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations. Objectives. Present an overview of Active Directory and how it can be integrated with campus infrastructure

rock
Download Presentation

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Admin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Single Sign-onActive Directory and CU KerberosTechnical Support Provider ForumJanuary 19, 2005Moe ArifSystems AdministratorCIT Systems and Operations

  2. Objectives • Present an overview of Active Directory and how it can be integrated with campus infrastructure • Discuss the costs, benefits and challenges of campus-wide deployment • Get feedback, share ideas from campus admins • Take this information back to CIT management

  3. Agenda • Overview of Active Directory (AD) • Brief and quick list of features • Non-technical • Campus Integration • DNS • Kerberos (K5) authentication • Pros and Cons • CIT’s current infrastructure • Q & A

  4. About the Speaker • Windows Systems Administrator • Programmer/Analyst Specialist • 4+ years at CIT • Experience • Currently manage 80+ servers • Windows 2003, 2000 (and NT) • Servers running databases, IIS, clusters, middleware • Focus • Manage server environment efficiently • Limited to controlled server environment

  5. Active Directory: Overview • AD is a Directory service • structured repository of people and resources in an organization • Released with Windows 2000 Server • LDAP Compliant (LDAPv3 protocol) • Logical structure • Consists of objects, OUs, domains, trees, forest • Physical structure • Domain controllers, LAN/WAN and sites

  6. Active Directory: Building Blocks

  7. Active Directory: How it works • Servers that are Domain Controllers • AD database contains the objects • Schema • Can be extended • Flexible Single Master Operation (FSMO) • Five Roles (PDC, RID, Infrastructure, Schema Master, Domain Naming) • Global Catalog (GC) • Smaller copy of AD and searches

  8. Active Directory: How it works • DNS • Heavily relies on SRV records • Dynamically updates records • Kerberos • Kerberos authentication under the hood • KDC runs on Domain Controllers • More on DNS and Kerberos later

  9. Active Directory: Features • Group Policy • Powerful feature • Control user and computer settings • Deploy to large number of systems • Can be applied to Site, Domain and OUs • Software Deployment • Via Group Policy (GPOs) • Install, upgrade, and remove • Control over installation via GPO

  10. Active Directory: Management • Snap-ins and Tools for managing AD • MMC • ADUC, domains/trust, Sites/services • OUs to organize objects • Apply GPOs • Delegate control • Group Policy • Group Policy Management Console • gpupdate.exe utility (secedit in 2000) • gpresult.exe

  11. Active Directory: Management • Command-line tools and other utilities • Ntdsutil, ldifde, csvde • dsadd, dsget, dsrm, dsmod • ldp.exe (GUI) • replmon, repadmin, dcdiag • Admin tools (adminpak.msi) • Resource Kit and RK Tools (free) • WMI and wmic.exe • Many, many others

  12. Integration: DNS • DNS is a must for AD to function • Run DNS servers under Windows • DCs (and desktops) perform dynamic updates (DDNS) • BIND can be set up for DDNS • CIT no longer offering DDNS • CIT recommended method • http://www.cit.cornell.edu/computer/system/win2000/dns/ • Search “dynamic DNS” at CIT website

  13. How to configure: • Install DNS service on your server • On the DC, configure DNS server addresses to be the server’s IP address (i.e. point to itself) • Configure desktop to point to CIT’s DNS • NS pointer on DNSDB points to your DNS server for these zones • Configured via DNSDB web page • _msdcs • _sites • _tcp • _udp Integration: DNS

  14. Integration: DNS • Net Result: • AD servers happily update records • Desktops query CUDNS for SRV records • The records are served by the Windows DNS servers due to NS pointer • Register desktops with DNSDB • Network Registry requirement • Manually or batch upload • Non-AD integrated DNS servers have records in text file • Look in %systemroot%\system32\dns

  15. Integration: DNS • Live Demo • DNS Server config • *.dns files • IP configuration • DNSDB NS records

  16. Integration: CIT Kerberos • AD supports cross-domain authentication to non-AD domains • CIT K5 realm “CIT.CORNELL.EDU” • One way trust • K5 domain is the trusted domain • Once established, users can login to AD domains using their NetID and Kerberos password • Result: Single Sign-on

  17. Integration: CIT Kerberos How to configure • AD should be installed as usual • E-mail kerberos-admin@cornell.edu • Need Domain name • Password will be given to you • CIT’s current practice • Will set up one-way trust to K5 realm • Technical support may be limited • Meeting with LDAP group, more testing, security, documentation

  18. Integration: CIT Kerberos • In Active Dir Domains and Trusts • Properties  Trusts • Domains trusted by this domain • ‘Add’ button in Win2000 • ‘New Trust’ button in Win2003 • Domain name: CIT.CORNELL.EDU • Must be uppercase • Will need password • Reboot server

  19. Integration: CIT Kerberos • Need to create name mappings • Turn on Advanced Features in ADUC • User Name  Name Mappings • <netid>@CIT.CORNELL.EDU • AD accounts can be any format • Password can be anything (complex) • Install Kerberos utilities from OS CD • Part of Support Tools • <CD>:\support\tools\setup.exe

  20. Integration: CIT Kerberos • Command prompt magic: ksetup.exe • ksetup /addkdc CIT.CORNELL.EDU kerberos.cit.cornell.edu • ksetup /addkdc CIT.CORNELL.EDU kerberos2.cit.cornell.edu • Adds Kerberos domain at logon screen • Desktops and Servers (GPO) • On-line Document • http://www.cit.cornell.edu/computer/system/win2000/kerberos/ • Search “Windows 2000 Kerberos” on CIT website

  21. Integration: CIT Kerberos • Must create name mappings • Can be scripted • Authentication works from domain login screen only • Issues with non-members • Drive mapping, printing etc. • Down level clients • Some applications may have problem • What about non-windows machines?

  22. Integration: CIT Kerberos • Live Demo • Authenticate to CIT realm • Domain trust setup screen • Name mappings example • ksetup.exe

  23. Single Sign-on: Pros and cons Advantages • Single Sign-on • Same NetID/password • Centrally managed NetIDs for AD • Future synchronization with LDAP • Add/remove NetIDs automatically • CIT managed Domain Controllers • Better reliability, fault tolerance etc. • Smaller depts. don’t have to run DCs • Work Force Planning

  24. Single Sign-on: Pros and cons • Decentralized management • Delegation of control • Admins have full control over OUs • Domains have separate admins • Manageability • GPOs to manage large number of desktops • Software deployment or removal • RIS for new systems

  25. Single Sign-on: Pros and cons • Usability • Powerful search capability • e.g. find plotter with special feature • Easier to setup rights across depts. • e.g. user with multiple appointments

  26. Single Sign-on: Pros and cons Disadvantages • Central Authority • CIT is Enterprise Admin • Full control over everything • Can be blocked to prevent accidents • Blocks can be easily removed • Security • Privilege elevation vulnerabilities • Human error and misconfiguration • Malicious attack

  27. Single Sign-on: Pros and cons • Schema • Schema extensions are forest-wide • Yikes! • Additional load on DCs, replication • Example: MS Exchange • Schema extensions are permanent • In Windows 2003, can be disabled • Some extensions may become obsolete • Example: software no longer used • So, these are bad things but …

  28. Single Sign-on: Pros and cons • Some thoughts about disadvantages • Schema extensions aren’t that bad • Similar security risks exist in separate domain • CIT can offer good security practices • CIT as Enterprise admin • CIT runs other more critical services that are already trusted • IMHO: Overall, pros outweigh the cons

  29. CIT’s Current Infrastructure • Empty Root • Installed in 2001 • Place holder for cornell.edu • May be populated with NetIDs if “Go” • Under cornell.edu • citstaff.cornell.edu – Internal CIT use • citlabs.cornell.edu – Public labs • Separate domain tree for CIT managed Windows servers • Many larger organizations already running separate domains

  30. Costs, Benefits, Challenges • Costs: • Will need more powerful servers • Integration with LDAP • Project will need investigation • Managing Enterprise level AD • Non-trivial task • Creating OUs, objects, rights etc. • Everyday care and feed • Need a dedicated person (or 2 or 3)

  31. Costs, Benefits, Challenges • Benefits: • Is it really good for Cornell? • Challenges: • Convincing important folks to approve this service • Funding • Collaboration • What about existing separate domains?

  32. Conclusion • Active Directory is here to stay • Many schools have implemented large or campus-wide ADs • Will a campus-wide Active Directory service (besides LDAP) benefit Cornell?

  33. Conclusion • I don’t have all the answers • What are your thoughts? • What would you like to see at Cornell? • What can I take back to CIT management? • Should we form an Active Directory focus group and decide? • Questions, comments, suggestions • e-mail: mna1@cornell.edu

  34. Thank You Open Discussion, and Q&A

More Related