2. Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft Corporation

3. Windows 2000 Kerberos Interoperability History History Windows 2000 implementation Windows 2000 implementation Interoperability scenarios Interoperability scenarios

4. Some History Kerberos developed at MIT as part of Project Athena Kerberos developed at MIT as part of Project Athena Funded by Digital and IBM Funded by Digital and IBM Freely available source that allows derivative commercial work Freely available source that allows derivative commercial work Change control given to IETF Change control given to IETF Based on research by Schroeder and Needham Based on research by Schroeder and Needham Needham now a Microsoft Research employee Needham now a Microsoft Research employee

5. MIT’s Goals Provide a solution that nobody else was addressing at the time Provide a solution that nobody else was addressing at the time Convince others that security is important Convince others that security is important Get vendors to adopt Kerberos so that we could purchase secure systems Get vendors to adopt Kerberos so that we could purchase secure systems Have we succeeded beyond our expectations? Have we succeeded beyond our expectations?

6. Commercial Support Many vendors have come and gone Many vendors have come and gone  GZA / Open Vision / Veritas  Cygnus Sun Sun IBM IBM SGI SGI OSF DCE OSF DCE CyberSafe CyberSafe Microsoft Microsoft

7. Integration Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism OS Vendors shipping Kerberos have not provided applications or services that are integrated with it OS Vendors shipping Kerberos have not provided applications or services that are integrated with it Microsoft is changing this Microsoft is changing this  Default authentication  Application support  Using it to secure other infrastructure

8. What Is Kerberos Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) Kerberos IV used in the Andrew File System (AFS) Kerberos IV used in the Andrew File System (AFS) Kerberos IV had design flaws leading to Kerberos version 5 Kerberos IV had design flaws leading to Kerberos version 5 Kerberos v5 is a standard (RFC-1510) Kerberos v5 is a standard (RFC-1510) Kerberos IV and Kerberos 5 do not interoperate! Kerberos IV and Kerberos 5 do not interoperate! Bones and eBones (Kerberos IV) Bones and eBones (Kerberos IV) Win2000 implements Kerberos v5 Win2000 implements Kerberos v5

9. Windows 2000 Kerberos Every Domain Controller is a KDC Every Domain Controller is a KDC Active Directory is the administrative interface via LDAP Active Directory is the administrative interface via LDAP Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs DNS Domain and Kerberos realm names are identical (except case sensitivity) DNS Domain and Kerberos realm names are identical (except case sensitivity) Also provides authorization service for Windows NT security model Also provides authorization service for Windows NT security model

10. Windows 2000 Kerberos Implementation Locates KDC via DNS Locates KDC via DNS DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) RC4-HMAC preferred enctype (56/128 bit keys) RC4-HMAC preferred enctype (56/128 bit keys) Does not support MD4 checksum type Does not support MD4 checksum type No support for DCE style cross-realm trust No support for DCE style cross-realm trust Postdated tickets (not implemented) Postdated tickets (not implemented) Structured service naming conventions Structured service naming conventions PKINIT PKINIT

11. Windows 2000 Kerberos Standards RFC-1510 (+ parts of Kerberos-revisions I-D) RFC-1510 (+ parts of Kerberos-revisions I-D) Kerberos change password protocol draft- ietf-cat-kerb-chg-password-02.txt Kerberos change password protocol draft- ietf-cat-kerb-chg-password-02.txt Kerberos set password protocol draft-ietf-cat-kerberos-set-passwd-00.txt Kerberos set password protocol draft-ietf-cat-kerberos-set-passwd-00.txt RC4-HMAC Kerberos Encryption type draft-brezak-win2k-krb-rc4-hmac-00.txt RC4-HMAC Kerberos Encryption type draft-brezak-win2k-krb-rc4-hmac-00.txt PKINIT draft-ietf-cat-kerberos-pk-init-09.txt PKINIT draft-ietf-cat-kerberos-pk-init-09.txt

12. Kerberos Authorization Data Kerberos protocol supports authorization data in tickets Kerberos protocol supports authorization data in tickets  Examples: DCE and Sesame architectures Revision to RFC 1510 Revision to RFC 1510  Clarifications on client, KDC supplied data  Submitted by Ted Ts’o, Clifford Neuman Interoperability issues are minimum Interoperability issues are minimum  Windows 2000 auth data ignored by UNIX implementations

13. Authorization Data What is the client allowed to do? What is the client allowed to do?  Based on Windows 2000 group membership  Identified by Security Ids (SIDs) in NT security architecture Windows 2000 KDC supplies auth data in tickets Windows 2000 KDC supplies auth data in tickets  At interactive logon (AS exchange)  User SID, global, universal group SIDs  At session ticket request (TGS exchange)  Domain local group SIDs

14. Negotiate Package Special SSP to select an authentication package Special SSP to select an authentication package Windows 2000 logo requirement Windows 2000 logo requirement Implementation of SPNEGO (RFC-2478) Implementation of SPNEGO (RFC-2478) Tries up-level SSPs (Kerberos) Tries up-level SSPs (Kerberos) Falls back to down-level SSPs (NTLM) Falls back to down-level SSPs (NTLM) Selection of up-level SSP based on SPN Selection of up-level SSP based on SPN

15. Kerberos Interoperability Scenarios Windows 2000 domain without a Microsoft KDC Windows 2000 domain without a Microsoft KDC Kerberos clients in a Win2000 domain Kerberos clients in a Win2000 domain Kerberos servers in a Win2000 domain Kerberos servers in a Win2000 domain Standalone Win2000 systems in a Kerberos realm Standalone Win2000 systems in a Kerberos realm Using a Kerberos realm as a resource domain Using a Kerberos realm as a resource domain Using a Kerberos realm as an account domain Using a Kerberos realm as an account domain

16. Windows 2000 Domain Without A Microsoft KDC Not a supported scenario Not a supported scenario Windows 2000 domain security model depends on authorization Windows 2000 domain security model depends on authorization Microsoft KDC is tightly integrated with Active Directory Microsoft KDC is tightly integrated with Active Directory Support for down-level services (NTLM) Support for down-level services (NTLM)

17. Standalone Windows 2000 Computers A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm Configure system as standalone (no domain) Configure system as standalone (no domain) Use Ksetup to configure the realm Use Ksetup to configure the realm Use Ksetup to establish the local account mapping Use Ksetup to establish the local account mapping Logon to Kerberos realm Logon to Kerberos realm Windows 2000 Linux MIT.REALM.COM

18. Using Kerberos servers Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS /etc/krb5.conf on database server /etc/krb5.conf on database server Create service account in domain Create service account in domain Use ktpass to export a keytab Use ktpass to export a keytab Copy keytab to database server Copy keytab to database server IIS server is trusted for delegation IIS server is trusted for delegation nt.company.com Windows 2000 IIS Server Unix Database Server Windows 2000 Wks

19. Using Unix KDCs With Windows 2000 Authorization Win2000 Professional Windows 2000 Server COMPANY.REALMnt.company.com MIT KDC Windows 2000 KDC 1 TGT 2TGT Name Mapping to NT account 3 TICKET 4 TICKET With NT Auth Data

20. Kerberos Realm As A Resource Domain Realm contains service principals for Unix based services Realm contains service principals for Unix based services Service does name based authorization Service does name based authorization Unix server Win2000 User MIT.REALM.COM win2k.domain.com Realm trusts domain users

21. Kerberos Realm As An Account Domain User logon with Kerberos principal User logon with Kerberos principal User has shadow account in an account domain (for applying authz) User has shadow account in an account domain (for applying authz) Mapping is used at logon for domain identity Mapping is used at logon for domain identity User@MIT.REALM.COM MIT.REALM.COMwin2k.domain.com Domain trusts realm users comp$@win2k.domain.com user@win2k.domain.com (user@MIT.REALM.COM)

22. Using A Kerberos Realm As An Account Domain Requires shadow accounts in domain Requires shadow accounts in domain Requires synchronized passwords so that NTLM can work Requires synchronized passwords so that NTLM can work Have a sample that shows account sync with MIT Kerberos realm Have a sample that shows account sync with MIT Kerberos realm CyberSafe is adding this capability with password sync to TrustBroker CyberSafe is adding this capability with password sync to TrustBroker

23. Microsoft And The IETF CAT WG Significant contributions in the standards Generating KDC Referrals to locate Kerberos realms draft-swift-win2k-krb-referrals-00.txt Generating KDC Referrals to locate Kerberos realms draft-swift-win2k-krb-referrals-00.txt The Windows 2000 RC4-HMAC Kerberos encryption type draft-brezak-win2k-krb-rc4-hmac-01.txt The Windows 2000 RC4-HMAC Kerberos encryption type draft-brezak-win2k-krb-rc4-hmac-01.txt User to User Kerberos Authentication using GSS-API draft-swift-win2k-krb-user2user-00.txt User to User Kerberos Authentication using GSS-API draft-swift-win2k-krb-user2user-00.txt Extension to Kerberos V5 For Additional Initial Encryption draft-ietf-cat-kerberos-extra-tgt-02.txt Extension to Kerberos V5 For Additional Initial Encryption draft-ietf-cat-kerberos-extra-tgt-02.txt Extending Change Password for Setting Kerberos Passwords draft-trostle-win2k-cat-kerberos-set-passwd-00.txt Extending Change Password for Setting Kerberos Passwords draft-trostle-win2k-cat-kerberos-set-passwd-00.txt The Simple and Protected GSS-API Negotiation Mechanism (RFC2478) The Simple and Protected GSS-API Negotiation Mechanism (RFC2478)

24. Kerberos Interoperability Windows 2000 Kerberos is interoperable with other popular versions Windows 2000 Kerberos is interoperable with other popular versions Interoperability is regularly tested Interoperability is regularly tested Customer driver interoperability scenarios Customer driver interoperability scenarios Push and enrich the Kerberos standards Push and enrich the Kerberos standards

25. For Additional Information Web sites: Web sites:  Windows 2000 Kerberos Authentication www.microsoft.com/windows/server/Technical/security/ kerberos.asp  Windows 2000 Kerberos Interoperability Whitepaper http://www.microsoft.com/windows2000/library/howitworks/ security/kerbint.asp  MIT Kerberos 5 Interoperability walk-through http://www.microsoft.com/windows2000/library/planning/ security/kerbsteps.asp  Compaq White Paper “Windows 2000 Authentication: under the hood” www.compaq.com/activeanswers (Windows 2000 section)  CyberSafe ActiveTrust – www.cybersafe.com www.cybersafe.com  Interop with Win2000 Active Directory and Kerberos Services msdn.microsoft.com/library/techart/kerberossamp.htm