Presentation is loading. Please wait.

Presentation is loading. Please wait.

W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.

Similar presentations


Presentation on theme: "W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka."— Presentation transcript:

1 W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka

2 Background  Provide single password for all users  Only use kerberos for user authentication and resource access in W2K domain.  Use exiting Unix MIT/KDC for user authentication  Desktops and servers must be able to contact remote MIT/KDCs and W2K DCs (CDF systems need to communicate with CDF KDC)

3 Using MIT KDC  MIT KDC in use for 2 years  MIT KDC provides user authentication, the W2K KDC provides service tickets  Microsoft Documentation- Step-by-Step Guide to Kerberos 5 (krg5 1.0) Interoperability http:// www.microsoft.com / WINDOWS2000 / library / planning / security / kerbsteps.asp

4 Using MIT KDC Establish a trust- –Use the W2K ksetup command to add the MIT KDC realm to the W2K DC (reboot DC) –Establish a trust via W2K MMC –Complete trust with MIT KDC –Create transitive trust on the W2K KDC using netdom commandline tool Create User accounts on W2K DC- –Map user principal to W2K user account. Add Realm Entry to Workstations –Modify W2K workstations to access the MIT KDC for log in. (Reboot workstation)

5 Using the MIT KDC Issues –The ksetup tool is not found in the W2K resource kit as documented but in the W2K server support/tools folder. –The realm name is case sensitive and should be uppercase. –A transitive trust must be established or users in child domains will not be authenticated via kerberos. –Workstations must have the kerberos realm added or users will not be able to login. –W2K workstations must be at SP1 for this to work! –A Security template can be used to modify workstations in the W2K domain

6 MIT KDC Issues  Trust needs to be established between MIT KDCs (main and remote) and top level W2K DC’s.  Transitive trusts need to be established for all down-level W2K DC’s  Principals must be mapped to W2K account  Clients need to be modified (registry) to contact correct remote KDC for quicker log in.  Slow notification if incorrect MIT KDC kerberos principal is entered (1 minute delay, 3-4 sec for W2K DC)

7 MIT KDC Issues  Patch/Upgrade Issue. W2K systems must be at SP1. Future patches/upgrades could break trust.  Passwords- Presently W2K users can not set passwords. Fixed with an upgrade of the MIT KDC?  How to synchronize principals and accounts? (long term solution –CNAS, but no short term)

8 W2K Issues  NTLM authentication –System not part of the W2K domain use NTLM authentication. –Many applications use NTLM authentication.  IIS/Exchange kerberos authentication require use of Microsoft kerberos (not documented)

9 Tools  Kerbtray (resource kit) –Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.  Klist (resource kit) –command-line tool used to view and delete Kerberos tickets granted to the current logon session. (Must be part of a W2K domain to use tool  Netdom (support tools) –Command-line tool used to establish trusts, reset kerberos passwords  Event logs –672. Krbtgt –680. NTLM –540. Successful Network Logon via kerberos (computers) –673. Service Tickets Granted.

10 KDC Recommendation  W2K Migration Group recommends using the Microsoft kerberos implementation in parallel with the MIT KDC at this time.  The group also recommends allowing NTLMv2 authentication. A completely kerberized W2K domain will prevent users from performing their work at this time!


Download ppt "W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka."

Similar presentations


Ads by Google