W2K and Kerberos at FNAL Jack Mark

Background  Please wait for Dane Skow’s talk for Fermilab strong authentication details.  Fermilab’s goal: –Site-wide strong authentication by Dec. 31; –Based on Kerberos 5;  Impacts on Windows 2000 migration?

Goals  Provide single password for all users.  Use only Kerberos for user authentication and resource access in W2K domain.  Use existing Unix MIT KDC for user authentication. –MIT KDC in pilot use for 2 years. –About to go into production.  Desktops and servers must be able to contact secondary MIT KDCs and W2K DCs. –E.g. CDF systems need to communicate with CDF KDC and DC.

Using the MIT KDC w/ W2K  Use MIT KDC for user authentication.  W2K KDC provides service tickets.  Microsoft documents how to do this: –“Step-by-Step Guide to Kerberos 5 Interoperability”Step-by-Step Guide to Kerberos 5 Interoperability

Using the MIT KDC w/ W2K: General Approach  Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s.  Transitive trusts need to be established for all down-level W2K DC’s.  Principals must be mapped to W2K account.  Clients need to be modified (registry) to contact correct remote KDC for quicker log in.

Using the MIT KDC w/ W2K: Technical Details  Establish trust between MIT and W2K domains: –Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC); –Establish MIT KDC trust on W2K DC (MMC snapin) –Complete trust on MIT KDC; –Create transitive trust on the W2K KC using netdom command line tool;  Create user accounts on W2K DC: –Map user principal to W2K user account;  Add realm entry to workstations: –Modify W2K workstations to access the MIT KDC for log in (reboot workstation); MMC = Microsoft Management Console thru Administration of Domains & Trusts snapin Transitive trust is used to talk to downlevel DC’s, e.g. in child domains.

Using the MIT KDC w/ W2K: Technical Issues  Workstations must have the kerberos realm added or users will not be able to login. –A security template can be used in the W2K domain.  A transitive trust must be established or users in child domains will not be authenticated via kerberos  Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC).

Using the MIT KDC w/ W2K: Technical Issues  The ksetup tool is not found in the W2K resource kit as documented. –It is in the W2K server support/tools folder.  The realm name is case sensitive and should be uppercase.  W2K workstations must be at SP1 for this to work!

Using the MIT KDC w/ W2K: Compatibility Issues  Patches and upgrades: –W2K systems must be at SP1; MIT KDC at v1.2. –Will future upgrades break things?  Passwords: –Presently W2K users can not set passwords on MIT KDC. –Fixed with an upgrade of the MIT KDC?  Synchronizing MIT principals and W2K accounts: –Long term solution – central accounts database, but no short term…

W2K Issues  NTLM authentication: –NTLM authentication is used by systems not part of the W2K domain. –Also, many applications use NTLM. –This is an issue even with a W2K KDC.  IIS & Exchange Kerberos authentication: –Requires Microsoft Kerberos implementation? –Or at least not well documented.

Where we’re headed…  Fermilab W2K Migration Group recommends: –use the Microsoft Kerberos implementation. Operate MIT KDC and W2K DC in parallel (“ships in the night”). –allow NTLMv2 authentication. A completely Kerberized W2K domain would prevent users from performing their work!

Tools  Kerbtray (resource kit) –GUI tool that displays Kerberos ticket information.  Kpasswd (resource kit) –Does the obvious thing…  Klist (resource kit) –Command-line tool to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool.)  Netdom (support tools) –Command-line tool used to establish trusts, reset Kerberos passwords.

Tools  Event log entries (useful for debugging): –672: Krbtgt –680: NTLM –540: (Computer) network logon via Kerberos –673: Service tickets granted