W2K and Kerberos at FNAL

Jack Schmidt

Mark Kaletka

Background

Provide single password for all users Only use kerberos for user authentication

and resource access in W2K domain. Use exiting Unix MIT/KDC for user

authentication Desktops and servers must be able to

contact remote MIT/KDCs and W2K DCs(CDF systems need to communicate with CDF

KDC)

Using MIT KDC

MIT KDC in use for 2 years MIT KDC provides user authentication, the

W2K KDC provides service tickets Microsoft Documentation-Step-by-Step Guide to Kerberos 5 (krg5 1.0)

Interoperabilityhttp:// www.microsoft.com / WINDOWS2000 /

library / planning / security / kerbsteps.asp

Using MIT KDC

Establish a trust-– Use the W2K ksetup command to add the MIT KDC

realm to the W2K DC (reboot DC)– Establish a trust via W2K MMC– Complete trust with MIT KDC– Create transitive trust on the W2K KDC using

netdom commandline toolCreate User accounts on W2K DC-– Map user principal to W2K user account. Add Realm Entry to Workstations– Modify W2K workstations to access the MIT KDC

for log in. (Reboot workstation)

Using the MIT KDC

Issues– The ksetup tool is not found in the W2K resource kit as

documented but in the W2K server support/tools folder.

– The realm name is case sensitive and should be uppercase.

– A transitive trust must be established or users in child domains will not be authenticated via kerberos.

– Workstations must have the kerberos realm added or users will not be able to login.

– W2K workstations must be at SP1 for this to work!

– A Security template can be used to modify workstations in the W2K domain

MIT KDC Issues Trust needs to be established between MIT KDCs

(main and remote) and top level W2K DC’s. Transitive trusts need to be established for all

down-level W2K DC’s Principals must be mapped to W2K account Clients need to be modified (registry) to contact

correct remote KDC for quicker log in. Slow notification if incorrect MIT KDC kerberos

principal is entered (1 minute delay, 3-4 sec for W2K DC)

MIT KDC Issues

Patch/Upgrade Issue. W2K systems must be at SP1. Future patches/upgrades could break trust.

Passwords- Presently W2K users can not set passwords. Fixed with an upgrade of the MIT KDC?

How to synchronize principals and accounts? (long term solution –CNAS, but no short term)

W2K Issues

NTLM authentication– System not part of the W2K domain use NTLM

authentication.– Many applications use NTLM authentication.

IIS/Exchange kerberos authentication require use of Microsoft kerberos (not documented)

Tools Kerbtray (resource kit)

– Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.

Klist (resource kit)– command-line tool used to view and delete Kerberos tickets

granted to the current logon session. (Must be part of a W2K domain to use tool

Netdom (support tools)– Command-line tool used to establish trusts, reset kerberos

passwords Event logs

– 672. Krbtgt– 680. NTLM – 540. Successful Network Logon via kerberos (computers)– 673. Service Tickets Granted.

KDC Recommendation

W2K Migration Group recommends using the Microsoft kerberos implementation in parallel with the MIT KDC at this time.

The group also recommends allowing NTLMv2 authentication. A completely kerberized W2K domain will prevent users from performing their work at this time!