260 likes | 377 Views
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft Corporation. Windows 2000 Kerberos Interoperability. History Windows 2000 implementation Interoperability scenarios. Some History.
E N D
Windows 2000 Kerberos Interoperability Paul HillCo-Leader, Kerberos Development TeamMIT John BrezakProgram ManagerWindows 2000 SecurityMicrosoft Corporation
Windows 2000 Kerberos Interoperability • History • Windows 2000 implementation • Interoperability scenarios
Some History • Kerberos developed at MIT as part of Project Athena • Funded by Digital and IBM • Freely available source that allows derivative commercial work • Change control given to IETF • Based on research by Schroeder and Needham • Needham now a Microsoft Research employee
MIT’s Goals • Provide a solution that nobody else was addressing at the time • Convince others that security is important • Get vendors to adopt Kerberos so that we could purchase secure systems • Have we succeeded beyond our expectations?
Commercial Support • Many vendors have come and gone • GZA / Open Vision / Veritas • Cygnus • Sun • IBM • SGI • OSF DCE • CyberSafe • Microsoft
Integration • Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism • OS Vendors shipping Kerberos have not provided applications or services that are integrated with it • Microsoft is changing this • Default authentication • Application support • Using it to secure other infrastructure
What Is Kerberos • Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) • Kerberos IV used in the Andrew File System (AFS) • Kerberos IV had design flaws leading to Kerberos version 5 • Kerberos v5 is a standard (RFC-1510) • Kerberos IV and Kerberos 5 do not interoperate! • Bones and eBones (Kerberos IV) • Win2000 implements Kerberos v5
Windows 2000 Kerberos • Every Domain Controller is a KDC • Active Directory is the administrative interface via LDAP • Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs • DNS Domain and Kerberos realm names are identical (except case sensitivity) • Also provides authorization service for Windows NT security model
Windows 2000 Kerberos Implementation • Locates KDC via DNS • DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) • RC4-HMAC preferred enctype (56/128 bit keys) • Does not support MD4 checksum type • No support for DCE style cross-realm trust • Postdated tickets (not implemented) • Structured service naming conventions • PKINIT
Windows 2000 Kerberos Standards • RFC-1510 (+ parts of Kerberos-revisions I-D) • Kerberos change password protocol draft-ietf-cat-kerb-chg-password-02.txt • Kerberos set password protocoldraft-ietf-cat-kerberos-set-passwd-00.txt • RC4-HMAC Kerberos Encryption typedraft-brezak-win2k-krb-rc4-hmac-00.txt • PKINITdraft-ietf-cat-kerberos-pk-init-09.txt
Kerberos Authorization Data • Kerberos protocol supports authorization data in tickets • Examples: DCE and Sesame architectures • Revision to RFC 1510 • Clarifications on client, KDC supplied data • Submitted by Ted Ts’o, Clifford Neuman • Interoperability issues are minimum • Windows 2000 auth data ignored by UNIX implementations
Authorization Data • What is the client allowed to do? • Based on Windows 2000 group membership • Identified by Security Ids (SIDs) in NT security architecture • Windows 2000 KDC supplies auth data in tickets • At interactive logon (AS exchange) • User SID, global, universal group SIDs • At session ticket request (TGS exchange) • Domain local group SIDs
Negotiate Package • Special SSP to select an authentication package • Windows 2000 logo requirement • Implementation of SPNEGO (RFC-2478) • Tries up-level SSPs (Kerberos) • Falls back to down-level SSPs (NTLM) • Selection of up-level SSP based on SPN
Kerberos Interoperability Scenarios • Windows 2000 domain without a Microsoft KDC • Kerberos clients in a Win2000 domain • Kerberos servers in a Win2000 domain • Standalone Win2000 systems in a Kerberos realm • Using a Kerberos realm as a resource domain • Using a Kerberos realm as an account domain
Windows 2000 Domain Without A Microsoft KDC • Not a supported scenario • Windows 2000 domain security model depends on authorization • Microsoft KDC is tightly integrated with Active Directory • Support for down-level services (NTLM)
Standalone Windows 2000 Computers • A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm MIT.REALM.COM • Configure system as standalone (no domain) • Use Ksetup to configure the realm • Use Ksetup to establish the local account mapping • Logon to Kerberos realm Linux Windows 2000
Using Kerberos servers • Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS nt.company.com • /etc/krb5.conf on database server • Create service account in domain • Use ktpass to export a keytab • Copy keytab to database server • IIS server is trusted for delegation Windows 2000 Wks Windows 2000 IIS Server Unix Database Server
2 TGT 1 3 TICKET TGT 4 TICKET With NT Auth Data Using Unix KDCs WithWindows 2000 Authorization COMPANY.REALM nt.company.com Windows 2000KDC MITKDC Name Mapping to NT account Windows 2000 Server Win2000 Professional
Kerberos Realm As A Resource Domain • Realm contains service principals for Unix based services • Service does name based authorization Realm trusts domain users Win2000 User Unix server win2k.domain.com MIT.REALM.COM
Kerberos Realm As An Account Domain • User logon with Kerberos principal • User has shadow account in an account domain (for applying authz) • Mapping is used at logon for domain identity user@win2k.domain.com (user@MIT.REALM.COM) Domain trusts realm users comp$@win2k.domain.com User@MIT.REALM.COM MIT.REALM.COM win2k.domain.com
Using A Kerberos Realm As An Account Domain • Requires shadow accounts in domain • Requires synchronized passwords so that NTLM can work • Have a sample that shows account sync with MIT Kerberos realm • CyberSafe is adding this capability with password sync to TrustBroker
Microsoft And The IETF CAT WG Significant contributions in the standards • Generating KDC Referrals to locate Kerberos realmsdraft-swift-win2k-krb-referrals-00.txt • The Windows 2000 RC4-HMAC Kerberos encryption typedraft-brezak-win2k-krb-rc4-hmac-01.txt • User to User Kerberos Authentication using GSS-APIdraft-swift-win2k-krb-user2user-00.txt • Extension to Kerberos V5 For Additional Initial Encryptiondraft-ietf-cat-kerberos-extra-tgt-02.txt • Extending Change Password for Setting Kerberos Passwordsdraft-trostle-win2k-cat-kerberos-set-passwd-00.txt • The Simple and Protected GSS-API Negotiation Mechanism (RFC2478)
Kerberos Interoperability • Windows 2000 Kerberos is interoperable with other popular versions • Interoperability is regularly tested • Customer driver interoperability scenarios • Push and enrich the Kerberos standards
For Additional Information • Web sites: • Windows 2000 Kerberos Authenticationwww.microsoft.com/windows/server/Technical/security/kerberos.asp • Windows 2000 Kerberos Interoperability Whitepaperhttp://www.microsoft.com/windows2000/library/howitworks/security/kerbint.asp • MIT Kerberos 5 Interoperability walk-throughhttp://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp • Compaq White Paper “Windows 2000 Authentication: under the hood” www.compaq.com/activeanswers (Windows 2000 section) • CyberSafe ActiveTrust – www.cybersafe.com • Interop with Win2000 Active Directory and Kerberos Servicesmsdn.microsoft.com/library/techart/kerberossamp.htm