Presentation is loading. Please wait.

Presentation is loading. Please wait.

W2K and Kerberos at FNAL Jack Mark

Published byBrianna Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "W2K and Kerberos at FNAL Jack Mark"— Presentation transcript:

1 W2K and Kerberos at FNAL Jack Schmidtschmidt@fnal.govschmidt@fnal.gov Mark Kaletkakaletka@fnal.govkaletka@fnal.gov

2 Background  Please wait for Dane Skow’s talk for Fermilab strong authentication details.  Fermilab’s goal: –Site-wide strong authentication by Dec. 31; –Based on Kerberos 5;  Impacts on Windows 2000 migration?

3 Goals  Provide single password for all users.  Use only Kerberos for user authentication and resource access in W2K domain.  Use existing Unix MIT KDC for user authentication. –MIT KDC in pilot use for 2 years. –About to go into production.  Desktops and servers must be able to contact secondary MIT KDCs and W2K DCs. –E.g. CDF systems need to communicate with CDF KDC and DC.

4 Using the MIT KDC w/ W2K  Use MIT KDC for user authentication.  W2K KDC provides service tickets.  Microsoft documents how to do this: –“Step-by-Step Guide to Kerberos 5 Interoperability”Step-by-Step Guide to Kerberos 5 Interoperability

5 Using the MIT KDC w/ W2K: General Approach  Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s.  Transitive trusts need to be established for all down-level W2K DC’s.  Principals must be mapped to W2K account.  Clients need to be modified (registry) to contact correct remote KDC for quicker log in.

6 Using the MIT KDC w/ W2K: Technical Details  Establish trust between MIT and W2K domains: –Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC); –Establish MIT KDC trust on W2K DC (MMC snapin) –Complete trust on MIT KDC; –Create transitive trust on the W2K KC using netdom command line tool;  Create user accounts on W2K DC: –Map user principal to W2K user account;  Add realm entry to workstations: –Modify W2K workstations to access the MIT KDC for log in (reboot workstation); MMC = Microsoft Management Console thru Administration of Domains & Trusts snapin Transitive trust is used to talk to downlevel DC’s, e.g. in child domains.

7 Using the MIT KDC w/ W2K: Technical Issues  Workstations must have the kerberos realm added or users will not be able to login. –A security template can be used in the W2K domain.  A transitive trust must be established or users in child domains will not be authenticated via kerberos  Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC).

8 Using the MIT KDC w/ W2K: Technical Issues  The ksetup tool is not found in the W2K resource kit as documented. –It is in the W2K server support/tools folder.  The realm name is case sensitive and should be uppercase.  W2K workstations must be at SP1 for this to work!

9 Using the MIT KDC w/ W2K: Compatibility Issues  Patches and upgrades: –W2K systems must be at SP1; MIT KDC at v1.2. –Will future upgrades break things?  Passwords: –Presently W2K users can not set passwords on MIT KDC. –Fixed with an upgrade of the MIT KDC?  Synchronizing MIT principals and W2K accounts: –Long term solution – central accounts database, but no short term…

10 W2K Issues  NTLM authentication: –NTLM authentication is used by systems not part of the W2K domain. –Also, many applications use NTLM. –This is an issue even with a W2K KDC.  IIS & Exchange Kerberos authentication: –Requires Microsoft Kerberos implementation? –Or at least not well documented.

11 Where we’re headed…  Fermilab W2K Migration Group recommends: –use the Microsoft Kerberos implementation. Operate MIT KDC and W2K DC in parallel (“ships in the night”). –allow NTLMv2 authentication. A completely Kerberized W2K domain would prevent users from performing their work!

12 Tools  Kerbtray (resource kit) –GUI tool that displays Kerberos ticket information.  Kpasswd (resource kit) –Does the obvious thing…  Klist (resource kit) –Command-line tool to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool.)  Netdom (support tools) –Command-line tool used to establish trusts, reset Kerberos passwords.

13 Tools  Event log entries (useful for debugging): –672: Krbtgt –680: NTLM –540: (Computer) network logon via Kerberos –673: Service tickets granted

Download ppt "W2K and Kerberos at FNAL Jack Mark"

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.

Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.

Hands-On Microsoft Windows Server 2003 Administration Chapter 4 Managing Group Policy.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Administering Active Directory

Administering Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.

Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.

Similar presentations

Ads by Google