Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services.

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.
70-297: MCSE Guide to Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Chapter 2: Developing the Active Directory.
Presented by: Mark Hendricks
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Integrating Oracle Collaboration Suite into the Identity Management Infrastructure Dan Malone Cal Poly, San Luis Obispo Integrating.
Chapter 4 Introduction to Active Directory and Account Management
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Windows 2000 and Active Directory Services at UQ Scott Sinclair Senior Systems Programmer Software Infrastructure Group
Active Directory Lecture 3 – Domain Services Primer.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Overview of Active Directory Domain Services Lesson 1.
Nassau Community College
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Chapter 11: Directory Services. Directory Services A directory service is a database that contains information about all objects on the network. Directory.
Chapter 4 Introduction to Active Directory and Account Management
OU Passwords What they all mean. What is a password Webster’s Online Dictionary describes a password as “a sequence of characters required for access.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Session 6 Windows Platform Dina Alkhoudari. Learning Objectives What is Active Directory Logical components of active directory Physical components of.
Windows Server 2008 Chapter 4 Last Update
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
A detailed look at the Microsoft Windows Infrastructure at UWE including Active Directory (AD), MIIS, Exchange, SMS, IIS, SQL Server, Terminal Services.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Welcome to Unit 4 IT278 Network Administration Course Name – IT278 Network Administration Instructor.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
University of Michigan Enterprise Directory Services Appendix A Conceptual Architecture.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Configuring Active Directory Objects and Trusts
Windows 2000 University of Colorado. Background Limited enterprise services: MIT K5 in labs, modems and some desktops, starting directories now, no identifier.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
W2K and Kerberos at FNAL Jack Mark
1 Windows 2008 Configuring Server Roles and Services.
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Introduction to Microsoft Windows 2000 Integrated support for client/server and peer-to-peer networks Increased reliability, availability, and scalability.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Authentication at Penn State: The Present State of Affairs and Future Directions James A. Vuccolo, Manager, Software Technologies Group Phil Pishioneri,
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Installing a Domain Controller
FROM MIT KERBEROS TO MICROSOFT ACTIVE DIRECTORY The Pennsylvania State University’s move from a lower case MIT Kerberos realm to a Standard Microsoft Active.
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
Active Directory CNS 4650 Fall 2004 Rev. 2. Active Directory Introduced with Windows 2000 Server X.500 based Can emulate NT-style network environments.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Active Directory.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 8: Planning for Windows Server 2008 Active Directory Services.
CEG 2400 Fall 2012 Directory Services Active Directory Tree Domain.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Planning an Active Directory Deployment Lesson 1.
Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
New Developments in Central Directory Service and Account Provisioning Dan Menicucci Enterprise Architect - University of Pittsburgh.
Implementing Active Directory Domain Services
Active Directory Fundamentals
(ITI310) SESSIONS 6-7-8: Active Directory.
Active Directory Stored collection of information about objects
Windows Active Directory Environment
ACTIVE DIRECTORY An Overview.. By Karan Oberoi.
Presentation transcript:

Active Directory at the University of Michigan Data Population and Kerberos Interoperability MaryBeth Stuenkel LAN/NOS/Groupware Services

Existing Infrastructure Uniqname – every faculty, staff, student assigned a unique 3-8 character identifier OpenLDAP enterprise directory MIT Kerberos user identity –based on uniqname –used for directory maintenance, , IFS filespace DNS Structure based upon University Organizational Chart (governed by policy)

W2K Implementation Goals Provide an infrastructure that allows for distributed administration within a single forest infrastructure Enable transparent user access to resources throughout campus Automatically populate AD with data from enterprise directory Provide single signon via Kerberos Integrate with existing BIND DNS infrastructure

Forest Root adsroot.itcs.umich.edu Campus Tree ads.itcs.umich.edu Engin Tree ad.engin.umich.edu Other Tree xx.yy.umich.edu Departmental OUs Structure of U-M Active Directory Forest OU=UMich OU=People OU=Organizations

Populating Active Directory OpenLDAP directory entries update AD –Initial feed/bulk load –Automatic updates of changes and new entries –Out-of-band updates Schema mapping Mapping of W2K user principle to MIT realm Updates are one-way only, changes made in AD are never passed back to OpenLDAP

Populating Active Directory Still left to do: –Making use of umichadUMDirToADSyncFlag to log/track user add/change/delete operations from OpenLDAP –Implementing out-of-band updates to OpenLDAP Changes in formats of data feeds Changes to schema of OpenLDAP –Testing and move to production

Kerberos Interoperability Process –User presents Kerberos username and password and receives MIT initial ticket granting ticket (TGT) –User receives MIT service TGT from MIT KDC –User receives ADS service TGT from MIT KDC –User uses ADS TGT to request LDAP service ticket from AD KDC Details –Kerberos v5, release –Kerberos passwords NOT synced with AD passwords, AD password not known by user –One-way trust only, AD trusts MIT

Kerberos Interoperability Existing challenges –Applying group policy to users in People OU via loopback processing on computers not working for MIT KDC-authenticated users –Preventing namespace collisions with current and future uniqnames through user objects created by departmental OU admins –What about non-Kerberos supported clients?

Summary Existing infrastructure –Both a challenge and an enabler –Has provided a rich environment for collaboration Automatic data population –Coding for initial feed and automatic updates complete –Logging changes to AD, coding for out-of-bound updates and more testing to do Kerberos interoperability –Authentication via MIT KDC working –Biggest current issue – loopback processing on group policies applied to computer objects

Credits Andrew Wilson Dave Detlefs Paul Turgyen Other UMCE staff Technical Lead Windows Developer Web site Developer LDAP Developer Kerberos Integration DNS Integration Directory Integration