sec400 unix & kerberos interop to achieve identity management david mowers program manager...
TRANSCRIPT
SEC400UNIX & Kerberos Interop to Achieve Identity Management
David MowersProgram ManagerMicrosoft Security Solutions
AgendaIdentity and Access Management (I&AM) Issues
How Kerberos interop solves an identity management problem
Interop standards and technologies
Scenario & Demos*NX/AD Kerberos Sign-on
*NX/AD Kerberos SSO
Authentication vs Authorization
Secure SSO and Authorization
Snapshot of I&AM IssuesBDM
Complex identity infrastructure costs moneyComplex identity infrastructure is hard to extend to new business processesYou invested in AD, what next?
IT ProHow to centralize management of security principals?How to apply AD security policy to NX accounts?
DeveloperToo many authentication mechanisms to choose fromHow to protect application data?Leverage centralized authorization store
UserMultiple User accountsEntering credentials multiple times
How Kerberos 5 Interop Helps to Solve I&AM Issues
IT ProAll users are managed in Active Directory
AD has strong user policy enforcement
User passwords safe in AD
DeveloperKerberos 5 available on most enterprise platforms
Secure authentication
Protect application data
AD is single source of authorization data
User ExperienceAuthentication based on one user account in AD
Transparent authentication to applications (SSO)
Kerberos
LinuxWindows
GINA(login)
Kerberos(MIT de-facto)
Credential (ticket)cache
DefaultCredential (ticket) cache
GSSAPISSPI
ApplicationApplication
•RFC 1510•AS - Authentication Service•TGS - Ticket Granting Service
•MIT de-facto•CPW - Change password service
Serviceprincipalkey table
DefaultService principalkey table
LSA
kinit klistkdestroykpasswd (M
IT d
e-f
act
o)
Login
pam_krb5
KRB
Kerberos configuration the hard way
Step 1: Create UNIX user accounts in Active DirectoryStep 2: Create UNIX workstation accounts in Active DirectoryStep 3: Create Keytab files for the UNIX workstationsStep 4: Install the keytab file on the UNIX WorkstationStep 5: Configure the pam.conf fileStep 6: Configure the krb5.conf file
Creating the keytab file
ktpass -princ host/[email protected] -mapuser Solaris_Workstation_Name -pass password -out Solaris_Workstation_Name.keytab
It worked…
Targeting domain controller: GRNCDC01.na.corp.contoso.comSuccessfully mapped host/
Solaris_Workstation_Name.na.corp.contoso.com to Solaris_Workstation_Name.
Key created.Output keytab to Solaris_Workstation_Name.keytab:Keytab version: 0x502keysize 79 host/
[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0e9bd5da314f5bad)
Account Solaris_Workstation_Name has been set for DES-only encryption.
Using the keytab file
Securely transfer keytab file from DC to client
Use ktutil to import the file
At the ktutil: prompt, type rkt Solaris_Workstation_Name.keytab
At the ktutil: prompt, type wkt /etc/krb5/krb5.keytab
Configure pam.conf# Contoso's Kerberos Setup## Authentication#other auth sufficient pam_krb5.so.1other auth sufficient pam_unix.so.1 use_first_pass## Password#other password optional pam_krb5.so.1 try_first_passother password required pam_unix.so.1## Account #other account optional pam_krb5.so.1## session#other session optional pam_krb5.so.1
Configure krb5.conf[libdefaults] default_realm = NA.CORP.CONTOSO.COM default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5[realms] NA.CORP.CONTOSO.COM = { kdc = grncdc01.na.corp.contoso.com admin_server = grncdc01.na.corp.contoso.com kpasswd_protocol = SET_CHANGE kpasswd_server = grncdc01.na.corp.contoso.com }[domain_realm] .na.corp.contoso.com = NA.CORP.CONTOSO.COM na.corp.contoso.com = NA.CORP.CONTOSO.COM...
Success!
Now that the *NX workstation is configured, user can logon with AD account and get Kerb ticketsUse klist to see TGTTGT used to authenticate to appsWhat’s missing?
AuthZ info, profile still stored locallyUse nss_ldap to obtain account authorization and profile information from ADNeed SFU or similar schema extensionDelete /etc/passwdWhat? No PAC?
LinuxWindows
LDAP
ADSIActive Directory
Services Interface
LDAP
LDAPAPI
• OpenLDAP• iPlanet• ...
LDAP (V3)- RFC 2251LDAP API- RFC 1831LDAP search- RFC 2254
login
pam
Application
LDAPAPI
Application
Account Profile• UID• GID• Home directory• Groups• …
nss_ldap
Account Profile• Groups• Tel #• Office #• …
Vintela Authentication Services
UNIX/Linux security systems integrated into Active Directory users
No synchronization between systems, all credentials reside within Active Directory
Authentication and authorization through Kerberos
UNIX Identity management using RFC 2307 schema
Single login and password for mixed Windows, UNIX and Linux applications and resources
All LDAP communication secured through Kerberos – no SSL overhead
Single point of account management through Active Directory – Microsoft Management Console
Immediate ROI to IT departments
Vintela – Joining Vintela – Joining Linux machine to AD Linux machine to AD domaindomain
demodemo
Joining a Linux machine to the AD Domain # /opt/vas/bin/vastool -p myadmin join
teched.com techeddc.teched.com
Now that’s easy!
Vintela – Create Vintela – Create “Unix enabled” user“Unix enabled” user
demodemo
Creating a “Unix enabled” user
Checkbox extension to MMC User & Computers snap-in
Applies Vintela schema to AD for Unix-style authorization & profile information
Vintela – Domain Vintela – Domain loginlogin
demodemo
Domain login
Windows UPN-style login
Deactivate account in AD, no login!
Everything about the user lives in AD
LinuxWindows
SSPI and GSSAPI
SSPILSACAPI
Security Service Provider Interface Generic Security Service-Application Programming Interface
API
Mech
GSSAPI(“V2” RFC 2743)
Kerberos (MIT de-facto)
KerberosRFC 1510
RFC 1964GSSKerberos“Kerberos”
“NTLM”
ClientApp
ServerTokenToken
TokenToken TokenToken
RFC 2478 GSSSPNEGO“Negotiate”
Vintela – Web logon Vintela – Web logon with SPNEGOwith SPNEGO
demodemo
SPNEGO web logon
Vintela adds SPNEGO capability to Apache
SSO from Windows & *NX clients
Vintela also requests Windows PAC from Windows KDC
Mozilla SPNEGO (TBD) plug-in will give SSO to IIS web server using Kerberos
Because the PAC is there - result is Windows Integrated security context
Demo you will not see
Mozilla->IISNeed Mozilla SPNEGO plug-in
Available later this year from multiple vendors
Vintela *does* provide Windows PAC
ConclusionInteroperability
Kerberos 5 for authentication
LDAP for authorization
BenefitsSingle point of administration
Fewer accounts to manage
User account policy enforcement
Protect user passwords
Protect application data
Single point of authorization
Improve end-user experience (fewer ID/PW’s)
Identity Management Virtual Track
For the IT ProSEC400: UNIX & Kerberos Interop to Achieve Identity MgmtDEP311: Identity Management with Microsoft Metadirectory Services WIN310: AD Branch Office with Windows Server 2003ADM313: Managing Active Directory with MOMADM314: Delegating Administrative Tasks in Active Directory
For the DeveloperSEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC333: EAI Using SharePoint Portal ServerWEB311: Windows Platform Security Services for Web Services
Ask The ExpertsGet Your Questions Answered
I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue:
2 July – 13:00-15:00
4 July – 10:00-12:00
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
VAS enables end users to utilize a single login account and password for access to critical systems and applications found in mixed Windows, UNIX® and Linux® environments. The time IT managers spend creating, modifying and removing user accounts are now reduced to a single action. Companies running Microsoft® Active Directory® can benefit from enhanced security and reduced management by extending these benefits to their business-critical UNIX and Linux applications.
VAS addresses the problem of identity management in a fundamentally different way then anyone else in the market today. VAS integrates user accounts in Active Directory to authenticate to UNIX and Linux systems and applications in the same way as a Windows® XP system would communicate. The integration allows UNIX and Linux security to validate users credentials found in Active Directory. VAS is not synchronization. The authentication is transported over LDAP and made secure through Kerberos. Exactly the same way as Active Directory and XP communicate. The installation is simple and the benefits are immediately recognized.
A Division of Center7, Inc.
Dave Wilson
President Vintela Division
801.655.2612
www.vintela.com
Control through Integration
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.