1 / 26

Windows 2000 Kerberos Interoperability

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft Corporation. Windows 2000 Kerberos Interoperability. History Windows 2000 implementation Interoperability scenarios. Some History.

savanna-angeloz
Download Presentation

Windows 2000 Kerberos Interoperability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 2000 Kerberos Interoperability Paul HillCo-Leader, Kerberos Development TeamMIT John BrezakProgram ManagerWindows 2000 SecurityMicrosoft Corporation

  2. Windows 2000 Kerberos Interoperability • History • Windows 2000 implementation • Interoperability scenarios

  3. Some History • Kerberos developed at MIT as part of Project Athena • Funded by Digital and IBM • Freely available source that allows derivative commercial work • Change control given to IETF • Based on research by Schroeder and Needham • Needham now a Microsoft Research employee

  4. MIT’s Goals • Provide a solution that nobody else was addressing at the time • Convince others that security is important • Get vendors to adopt Kerberos so that we could purchase secure systems • Have we succeeded beyond our expectations?

  5. Commercial Support • Many vendors have come and gone • GZA / Open Vision / Veritas • Cygnus • Sun • IBM • SGI • OSF DCE • CyberSafe • Microsoft

  6. Integration • Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism • OS Vendors shipping Kerberos have not provided applications or services that are integrated with it • Microsoft is changing this • Default authentication • Application support • Using it to secure other infrastructure

  7. What Is Kerberos • Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) • Kerberos IV used in the Andrew File System (AFS) • Kerberos IV had design flaws leading to Kerberos version 5 • Kerberos v5 is a standard (RFC-1510) • Kerberos IV and Kerberos 5 do not interoperate! • Bones and eBones (Kerberos IV) • Win2000 implements Kerberos v5

  8. Windows 2000 Kerberos • Every Domain Controller is a KDC • Active Directory is the administrative interface via LDAP • Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs • DNS Domain and Kerberos realm names are identical (except case sensitivity) • Also provides authorization service for Windows NT security model

  9. Windows 2000 Kerberos Implementation • Locates KDC via DNS • DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) • RC4-HMAC preferred enctype (56/128 bit keys) • Does not support MD4 checksum type • No support for DCE style cross-realm trust • Postdated tickets (not implemented) • Structured service naming conventions • PKINIT

  10. Windows 2000 Kerberos Standards • RFC-1510 (+ parts of Kerberos-revisions I-D) • Kerberos change password protocol draft-ietf-cat-kerb-chg-password-02.txt • Kerberos set password protocoldraft-ietf-cat-kerberos-set-passwd-00.txt • RC4-HMAC Kerberos Encryption typedraft-brezak-win2k-krb-rc4-hmac-00.txt • PKINITdraft-ietf-cat-kerberos-pk-init-09.txt

  11. Kerberos Authorization Data • Kerberos protocol supports authorization data in tickets • Examples: DCE and Sesame architectures • Revision to RFC 1510 • Clarifications on client, KDC supplied data • Submitted by Ted Ts’o, Clifford Neuman • Interoperability issues are minimum • Windows 2000 auth data ignored by UNIX implementations

  12. Authorization Data • What is the client allowed to do? • Based on Windows 2000 group membership • Identified by Security Ids (SIDs) in NT security architecture • Windows 2000 KDC supplies auth data in tickets • At interactive logon (AS exchange) • User SID, global, universal group SIDs • At session ticket request (TGS exchange) • Domain local group SIDs

  13. Negotiate Package • Special SSP to select an authentication package • Windows 2000 logo requirement • Implementation of SPNEGO (RFC-2478) • Tries up-level SSPs (Kerberos) • Falls back to down-level SSPs (NTLM) • Selection of up-level SSP based on SPN

  14. Kerberos Interoperability Scenarios • Windows 2000 domain without a Microsoft KDC • Kerberos clients in a Win2000 domain • Kerberos servers in a Win2000 domain • Standalone Win2000 systems in a Kerberos realm • Using a Kerberos realm as a resource domain • Using a Kerberos realm as an account domain

  15. Windows 2000 Domain Without A Microsoft KDC • Not a supported scenario • Windows 2000 domain security model depends on authorization • Microsoft KDC is tightly integrated with Active Directory • Support for down-level services (NTLM)

  16. Standalone Windows 2000 Computers • A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm MIT.REALM.COM • Configure system as standalone (no domain) • Use Ksetup to configure the realm • Use Ksetup to establish the local account mapping • Logon to Kerberos realm Linux Windows 2000

  17. Using Kerberos servers • Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS nt.company.com • /etc/krb5.conf on database server • Create service account in domain • Use ktpass to export a keytab • Copy keytab to database server • IIS server is trusted for delegation Windows 2000 Wks Windows 2000 IIS Server Unix Database Server

  18. 2 TGT 1 3 TICKET TGT 4 TICKET With NT Auth Data Using Unix KDCs WithWindows 2000 Authorization COMPANY.REALM nt.company.com Windows 2000KDC MITKDC Name Mapping to NT account Windows 2000 Server Win2000 Professional

  19. Kerberos Realm As A Resource Domain • Realm contains service principals for Unix based services • Service does name based authorization Realm trusts domain users Win2000 User Unix server win2k.domain.com MIT.REALM.COM

  20. Kerberos Realm As An Account Domain • User logon with Kerberos principal • User has shadow account in an account domain (for applying authz) • Mapping is used at logon for domain identity user@win2k.domain.com (user@MIT.REALM.COM) Domain trusts realm users comp$@win2k.domain.com User@MIT.REALM.COM MIT.REALM.COM win2k.domain.com

  21. Using A Kerberos Realm As An Account Domain • Requires shadow accounts in domain • Requires synchronized passwords so that NTLM can work • Have a sample that shows account sync with MIT Kerberos realm • CyberSafe is adding this capability with password sync to TrustBroker

  22. Microsoft And The IETF CAT WG Significant contributions in the standards • Generating KDC Referrals to locate Kerberos realmsdraft-swift-win2k-krb-referrals-00.txt • The Windows 2000 RC4-HMAC Kerberos encryption typedraft-brezak-win2k-krb-rc4-hmac-01.txt • User to User Kerberos Authentication using GSS-APIdraft-swift-win2k-krb-user2user-00.txt • Extension to Kerberos V5 For Additional Initial Encryptiondraft-ietf-cat-kerberos-extra-tgt-02.txt • Extending Change Password for Setting Kerberos Passwordsdraft-trostle-win2k-cat-kerberos-set-passwd-00.txt • The Simple and Protected GSS-API Negotiation Mechanism (RFC2478)

  23. Kerberos Interoperability • Windows 2000 Kerberos is interoperable with other popular versions • Interoperability is regularly tested • Customer driver interoperability scenarios • Push and enrich the Kerberos standards

  24. For Additional Information • Web sites: • Windows 2000 Kerberos Authenticationwww.microsoft.com/windows/server/Technical/security/kerberos.asp • Windows 2000 Kerberos Interoperability Whitepaperhttp://www.microsoft.com/windows2000/library/howitworks/security/kerbint.asp • MIT Kerberos 5 Interoperability walk-throughhttp://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp • Compaq White Paper “Windows 2000 Authentication: under the hood” www.compaq.com/activeanswers (Windows 2000 section) • CyberSafe ActiveTrust – www.cybersafe.com • Interop with Win2000 Active Directory and Kerberos Servicesmsdn.microsoft.com/library/techart/kerberossamp.htm

More Related