Upload
kristian-james
View
213
Download
0
Embed Size (px)
Citation preview
W2K and Kerberos at FNAL
Jack Schmidt
Mark Kaletka
Background
Provide single password for all users Only use kerberos for user authentication
and resource access in W2K domain. Use exiting Unix MIT/KDC for user
authentication Desktops and servers must be able to
contact remote MIT/KDCs and W2K DCs(CDF systems need to communicate with CDF
KDC)
Using MIT KDC
MIT KDC in use for 2 years MIT KDC provides user authentication, the
W2K KDC provides service tickets Microsoft Documentation-Step-by-Step Guide to Kerberos 5 (krg5 1.0)
Interoperabilityhttp:// www.microsoft.com / WINDOWS2000 /
library / planning / security / kerbsteps.asp
Using MIT KDC
Establish a trust-– Use the W2K ksetup command to add the MIT KDC
realm to the W2K DC (reboot DC)– Establish a trust via W2K MMC– Complete trust with MIT KDC– Create transitive trust on the W2K KDC using
netdom commandline toolCreate User accounts on W2K DC-– Map user principal to W2K user account. Add Realm Entry to Workstations– Modify W2K workstations to access the MIT KDC
for log in. (Reboot workstation)
Using the MIT KDC
Issues– The ksetup tool is not found in the W2K resource kit as
documented but in the W2K server support/tools folder.
– The realm name is case sensitive and should be uppercase.
– A transitive trust must be established or users in child domains will not be authenticated via kerberos.
– Workstations must have the kerberos realm added or users will not be able to login.
– W2K workstations must be at SP1 for this to work!
– A Security template can be used to modify workstations in the W2K domain
MIT KDC Issues Trust needs to be established between MIT KDCs
(main and remote) and top level W2K DC’s. Transitive trusts need to be established for all
down-level W2K DC’s Principals must be mapped to W2K account Clients need to be modified (registry) to contact
correct remote KDC for quicker log in. Slow notification if incorrect MIT KDC kerberos
principal is entered (1 minute delay, 3-4 sec for W2K DC)
MIT KDC Issues
Patch/Upgrade Issue. W2K systems must be at SP1. Future patches/upgrades could break trust.
Passwords- Presently W2K users can not set passwords. Fixed with an upgrade of the MIT KDC?
How to synchronize principals and accounts? (long term solution –CNAS, but no short term)
W2K Issues
NTLM authentication– System not part of the W2K domain use NTLM
authentication.– Many applications use NTLM authentication.
IIS/Exchange kerberos authentication require use of Microsoft kerberos (not documented)
Tools Kerbtray (resource kit)
– Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.
Klist (resource kit)– command-line tool used to view and delete Kerberos tickets
granted to the current logon session. (Must be part of a W2K domain to use tool
Netdom (support tools)– Command-line tool used to establish trusts, reset kerberos
passwords Event logs
– 672. Krbtgt– 680. NTLM – 540. Successful Network Logon via kerberos (computers)– 673. Service Tickets Granted.
KDC Recommendation
W2K Migration Group recommends using the Microsoft kerberos implementation in parallel with the MIT KDC at this time.
The group also recommends allowing NTLMv2 authentication. A completely kerberized W2K domain will prevent users from performing their work at this time!