Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Slides:



Advertisements
Similar presentations
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
AUTHENTICATION AND KEY DISTRIBUTION
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Active Directory: Final Solution to Enterprise System Integration
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
Introduction to Kerberos Kerberos and Domain Authentication.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Windows 2000 University of Colorado. Background Limited enterprise services: MIT K5 in labs, modems and some desktops, starting directories now, no identifier.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
SEC400 UNIX & Kerberos Interop to Achieve Identity Management
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania,
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Web Services Security Patterns Alex Mackman CM Group Ltd
Kerberos in an ISP environment
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
This Lecture’s Topics Authentication and Authorization Authentication and Authorization in UNIX Name Service Switch PAM SASL GSSAPI Kerberos.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
KERBEROS.
Active Directory Fundamentals
CSCE 715: Network Systems Security
Authentication Protocol
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Kerberos in an ISP environment
Presentation transcript:

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft Corporation

Windows 2000 Kerberos Interoperability History History Windows 2000 implementation Windows 2000 implementation Interoperability scenarios Interoperability scenarios

Some History Kerberos developed at MIT as part of Project Athena Kerberos developed at MIT as part of Project Athena Funded by Digital and IBM Funded by Digital and IBM Freely available source that allows derivative commercial work Freely available source that allows derivative commercial work Change control given to IETF Change control given to IETF Based on research by Schroeder and Needham Based on research by Schroeder and Needham Needham now a Microsoft Research employee Needham now a Microsoft Research employee

MIT’s Goals Provide a solution that nobody else was addressing at the time Provide a solution that nobody else was addressing at the time Convince others that security is important Convince others that security is important Get vendors to adopt Kerberos so that we could purchase secure systems Get vendors to adopt Kerberos so that we could purchase secure systems Have we succeeded beyond our expectations? Have we succeeded beyond our expectations?

Commercial Support Many vendors have come and gone Many vendors have come and gone  GZA / Open Vision / Veritas  Cygnus Sun Sun IBM IBM SGI SGI OSF DCE OSF DCE CyberSafe CyberSafe Microsoft Microsoft

Integration Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism Operating Systems have shipped with Kerberos but not used it as the default authentication mechanism OS Vendors shipping Kerberos have not provided applications or services that are integrated with it OS Vendors shipping Kerberos have not provided applications or services that are integrated with it Microsoft is changing this Microsoft is changing this  Default authentication  Application support  Using it to secure other infrastructure

What Is Kerberos Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) Kerberos IV currently deployed in many Universities (many Kerberized applications for Unix) Kerberos IV used in the Andrew File System (AFS) Kerberos IV used in the Andrew File System (AFS) Kerberos IV had design flaws leading to Kerberos version 5 Kerberos IV had design flaws leading to Kerberos version 5 Kerberos v5 is a standard (RFC-1510) Kerberos v5 is a standard (RFC-1510) Kerberos IV and Kerberos 5 do not interoperate! Kerberos IV and Kerberos 5 do not interoperate! Bones and eBones (Kerberos IV) Bones and eBones (Kerberos IV) Win2000 implements Kerberos v5 Win2000 implements Kerberos v5

Windows 2000 Kerberos Every Domain Controller is a KDC Every Domain Controller is a KDC Active Directory is the administrative interface via LDAP Active Directory is the administrative interface via LDAP Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs Programmers interface is SSPI (similar to GSSAPI); no krb5 APIs DNS Domain and Kerberos realm names are identical (except case sensitivity) DNS Domain and Kerberos realm names are identical (except case sensitivity) Also provides authorization service for Windows NT security model Also provides authorization service for Windows NT security model

Windows 2000 Kerberos Implementation Locates KDC via DNS Locates KDC via DNS DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) DES-CBC-CRC and DES-CBC-MD5 enctypes for interoperability (56bit keys) RC4-HMAC preferred enctype (56/128 bit keys) RC4-HMAC preferred enctype (56/128 bit keys) Does not support MD4 checksum type Does not support MD4 checksum type No support for DCE style cross-realm trust No support for DCE style cross-realm trust Postdated tickets (not implemented) Postdated tickets (not implemented) Structured service naming conventions Structured service naming conventions PKINIT PKINIT

Windows 2000 Kerberos Standards RFC-1510 (+ parts of Kerberos-revisions I-D) RFC-1510 (+ parts of Kerberos-revisions I-D) Kerberos change password protocol draft- ietf-cat-kerb-chg-password-02.txt Kerberos change password protocol draft- ietf-cat-kerb-chg-password-02.txt Kerberos set password protocol draft-ietf-cat-kerberos-set-passwd-00.txt Kerberos set password protocol draft-ietf-cat-kerberos-set-passwd-00.txt RC4-HMAC Kerberos Encryption type draft-brezak-win2k-krb-rc4-hmac-00.txt RC4-HMAC Kerberos Encryption type draft-brezak-win2k-krb-rc4-hmac-00.txt PKINIT draft-ietf-cat-kerberos-pk-init-09.txt PKINIT draft-ietf-cat-kerberos-pk-init-09.txt

Kerberos Authorization Data Kerberos protocol supports authorization data in tickets Kerberos protocol supports authorization data in tickets  Examples: DCE and Sesame architectures Revision to RFC 1510 Revision to RFC 1510  Clarifications on client, KDC supplied data  Submitted by Ted Ts’o, Clifford Neuman Interoperability issues are minimum Interoperability issues are minimum  Windows 2000 auth data ignored by UNIX implementations

Authorization Data What is the client allowed to do? What is the client allowed to do?  Based on Windows 2000 group membership  Identified by Security Ids (SIDs) in NT security architecture Windows 2000 KDC supplies auth data in tickets Windows 2000 KDC supplies auth data in tickets  At interactive logon (AS exchange)  User SID, global, universal group SIDs  At session ticket request (TGS exchange)  Domain local group SIDs

Negotiate Package Special SSP to select an authentication package Special SSP to select an authentication package Windows 2000 logo requirement Windows 2000 logo requirement Implementation of SPNEGO (RFC-2478) Implementation of SPNEGO (RFC-2478) Tries up-level SSPs (Kerberos) Tries up-level SSPs (Kerberos) Falls back to down-level SSPs (NTLM) Falls back to down-level SSPs (NTLM) Selection of up-level SSP based on SPN Selection of up-level SSP based on SPN

Kerberos Interoperability Scenarios Windows 2000 domain without a Microsoft KDC Windows 2000 domain without a Microsoft KDC Kerberos clients in a Win2000 domain Kerberos clients in a Win2000 domain Kerberos servers in a Win2000 domain Kerberos servers in a Win2000 domain Standalone Win2000 systems in a Kerberos realm Standalone Win2000 systems in a Kerberos realm Using a Kerberos realm as a resource domain Using a Kerberos realm as a resource domain Using a Kerberos realm as an account domain Using a Kerberos realm as an account domain

Windows 2000 Domain Without A Microsoft KDC Not a supported scenario Not a supported scenario Windows 2000 domain security model depends on authorization Windows 2000 domain security model depends on authorization Microsoft KDC is tightly integrated with Active Directory Microsoft KDC is tightly integrated with Active Directory Support for down-level services (NTLM) Support for down-level services (NTLM)

Standalone Windows 2000 Computers A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm A dorm student has a Win2000 computer that they want to use with the University’s Kerberos realm Configure system as standalone (no domain) Configure system as standalone (no domain) Use Ksetup to configure the realm Use Ksetup to configure the realm Use Ksetup to establish the local account mapping Use Ksetup to establish the local account mapping Logon to Kerberos realm Logon to Kerberos realm Windows 2000 Linux MIT.REALM.COM

Using Kerberos servers Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS Customer wants to use their Kerberos enabled database server in an n-tier application front-ended by IIS /etc/krb5.conf on database server /etc/krb5.conf on database server Create service account in domain Create service account in domain Use ktpass to export a keytab Use ktpass to export a keytab Copy keytab to database server Copy keytab to database server IIS server is trusted for delegation IIS server is trusted for delegation nt.company.com Windows 2000 IIS Server Unix Database Server Windows 2000 Wks

Using Unix KDCs With Windows 2000 Authorization Win2000 Professional Windows 2000 Server COMPANY.REALMnt.company.com MIT KDC Windows 2000 KDC 1 TGT 2TGT Name Mapping to NT account 3 TICKET 4 TICKET With NT Auth Data

Kerberos Realm As A Resource Domain Realm contains service principals for Unix based services Realm contains service principals for Unix based services Service does name based authorization Service does name based authorization Unix server Win2000 User MIT.REALM.COM win2k.domain.com Realm trusts domain users

Kerberos Realm As An Account Domain User logon with Kerberos principal User logon with Kerberos principal User has shadow account in an account domain (for applying authz) User has shadow account in an account domain (for applying authz) Mapping is used at logon for domain identity Mapping is used at logon for domain identity MIT.REALM.COMwin2k.domain.com Domain trusts realm users

Using A Kerberos Realm As An Account Domain Requires shadow accounts in domain Requires shadow accounts in domain Requires synchronized passwords so that NTLM can work Requires synchronized passwords so that NTLM can work Have a sample that shows account sync with MIT Kerberos realm Have a sample that shows account sync with MIT Kerberos realm CyberSafe is adding this capability with password sync to TrustBroker CyberSafe is adding this capability with password sync to TrustBroker

Microsoft And The IETF CAT WG Significant contributions in the standards Generating KDC Referrals to locate Kerberos realms draft-swift-win2k-krb-referrals-00.txt Generating KDC Referrals to locate Kerberos realms draft-swift-win2k-krb-referrals-00.txt The Windows 2000 RC4-HMAC Kerberos encryption type draft-brezak-win2k-krb-rc4-hmac-01.txt The Windows 2000 RC4-HMAC Kerberos encryption type draft-brezak-win2k-krb-rc4-hmac-01.txt User to User Kerberos Authentication using GSS-API draft-swift-win2k-krb-user2user-00.txt User to User Kerberos Authentication using GSS-API draft-swift-win2k-krb-user2user-00.txt Extension to Kerberos V5 For Additional Initial Encryption draft-ietf-cat-kerberos-extra-tgt-02.txt Extension to Kerberos V5 For Additional Initial Encryption draft-ietf-cat-kerberos-extra-tgt-02.txt Extending Change Password for Setting Kerberos Passwords draft-trostle-win2k-cat-kerberos-set-passwd-00.txt Extending Change Password for Setting Kerberos Passwords draft-trostle-win2k-cat-kerberos-set-passwd-00.txt The Simple and Protected GSS-API Negotiation Mechanism (RFC2478) The Simple and Protected GSS-API Negotiation Mechanism (RFC2478)

Kerberos Interoperability Windows 2000 Kerberos is interoperable with other popular versions Windows 2000 Kerberos is interoperable with other popular versions Interoperability is regularly tested Interoperability is regularly tested Customer driver interoperability scenarios Customer driver interoperability scenarios Push and enrich the Kerberos standards Push and enrich the Kerberos standards

For Additional Information Web sites: Web sites:  Windows 2000 Kerberos Authentication kerberos.asp  Windows 2000 Kerberos Interoperability Whitepaper security/kerbint.asp  MIT Kerberos 5 Interoperability walk-through security/kerbsteps.asp  Compaq White Paper “Windows 2000 Authentication: under the hood” (Windows 2000 section)  CyberSafe ActiveTrust –  Interop with Win2000 Active Directory and Kerberos Services msdn.microsoft.com/library/techart/kerberossamp.htm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.