Presentation is loading. Please wait.

Presentation is loading. Please wait.

W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.

Published byKristian James Modified over 8 years ago

Similar presentations

Presentation on theme: "W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka."— Presentation transcript:

1 W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka

2 Background  Provide single password for all users  Only use kerberos for user authentication and resource access in W2K domain.  Use exiting Unix MIT/KDC for user authentication  Desktops and servers must be able to contact remote MIT/KDCs and W2K DCs (CDF systems need to communicate with CDF KDC)

3 Using MIT KDC  MIT KDC in use for 2 years  MIT KDC provides user authentication, the W2K KDC provides service tickets  Microsoft Documentation- Step-by-Step Guide to Kerberos 5 (krg5 1.0) Interoperability http:// www.microsoft.com / WINDOWS2000 / library / planning / security / kerbsteps.asp

4 Using MIT KDC Establish a trust- –Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC) –Establish a trust via W2K MMC –Complete trust with MIT KDC –Create transitive trust on the W2K KDC using netdom commandline tool Create User accounts on W2K DC- –Map user principal to W2K user account. Add Realm Entry to Workstations –Modify W2K workstations to access the MIT KDC for log in. (Reboot workstation)

5 Using the MIT KDC Issues –The ksetup tool is not found in the W2K resource kit as documented but in the W2K server support/tools folder. –The realm name is case sensitive and should be uppercase. –A transitive trust must be established or users in child domains will not be authenticated via kerberos. –Workstations must have the kerberos realm added or users will not be able to login. –W2K workstations must be at SP1 for this to work! –A Security template can be used to modify workstations in the W2K domain

6 MIT KDC Issues  Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s.  Transitive trusts need to be established for all down-level W2K DC’s  Principals must be mapped to W2K account  Clients need to be modified (registry) to contact correct remote KDC for quicker log in.  Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC)

7 MIT KDC Issues  Patch/Upgrade Issue. W2K systems must be at SP1. Future patches/upgrades could break trust.  Passwords- Presently W2K users can not set passwords. Fixed with an upgrade of the MIT KDC?  How to synchronize principals and accounts? (long term solution –CNAS, but no short term)

8 W2K Issues  NTLM authentication –System not part of the W2K domain use NTLM authentication. –Many applications use NTLM authentication.  IIS/Exchange kerberos authentication require use of Microsoft kerberos (not documented)

9 Tools  Kerbtray (resource kit) –Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.  Klist (resource kit) –command-line tool used to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool  Netdom (support tools) –Command-line tool used to establish trusts, reset kerberos passwords  Event logs –672. Krbtgt –680. NTLM –540. Successful Network Logon via kerberos (computers) –673. Service Tickets Granted.

10 KDC Recommendation  W2K Migration Group recommends using the Microsoft kerberos implementation in parallel with the MIT KDC at this time.  The group also recommends allowing NTLMv2 authentication. A completely kerberized W2K domain will prevent users from performing their work at this time!

Download ppt "W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
SCSC 455 Computer Security

SCSC 455 Computer Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.

Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Windows Server 2003 建立網域間之信任關係

Windows Server 2003 建立網域間之信任關係
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 3: Creating and Managing User Accounts.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Administering Active Directory

Administering Active Directory
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.

Chapter 3 – Creating and Managing User Accounts MIS 431 – Created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

Similar presentations

Ads by Google