SEC400 UNIX & Kerberos Interop to Achieve Identity Management David Mowers Program Manager Microsoft Security Solutions
Agenda Identity and Access Management (I&AM) Issues How Kerberos interop solves an identity management problem Interop standards and technologies Scenario & Demos *NX/AD Kerberos Sign-on *NX/AD Kerberos SSO Authentication vs Authorization Secure SSO and Authorization
Snapshot of I&AM Issues BDM Complex identity infrastructure costs money Complex identity infrastructure is hard to extend to new business processes You invested in AD, what next? IT Pro How to centralize management of security principals? How to apply AD security policy to NX accounts? Developer Too many authentication mechanisms to choose from How to protect application data? Leverage centralized authorization store User Multiple User accounts Entering credentials multiple times
How Kerberos 5 Interop Helps to Solve I&AM Issues IT Pro All users are managed in Active Directory AD has strong user policy enforcement User passwords safe in AD Developer Kerberos 5 available on most enterprise platforms Secure authentication Protect application data AD is single source of authorization data User Experience Authentication based on one user account in AD Transparent authentication to applications (SSO)
Kerberos RFC 1510 MIT de-facto Windows Linux GINA (login) Application SSPI pam_krb5 GSSAPI kinit klist kdestroy kpasswd (MIT de-facto) Kerberos (MIT de-facto) LSA Credential (ticket) cache Service principal key table Default Credential (ticket) cache Default Service principal key table RFC 1510 AS - Authentication Service TGS - Ticket Granting Service MIT de-facto CPW - Change password service KRB
Kerberos configuration the hard way Step 1: Create UNIX user accounts in Active Directory Step 2: Create UNIX workstation accounts in Active Directory Step 3: Create Keytab files for the UNIX workstations Step 4: Install the keytab file on the UNIX Workstation Step 5: Configure the pam.conf file Step 6: Configure the krb5.conf file
Creating the keytab file ktpass -princ host/Solaris_Workstation_Name.na.corp.contoso.com@NA.CORP.CONTOSO.COM -mapuser Solaris_Workstation_Name -pass password -out Solaris_Workstation_Name.keytab
It worked… Targeting domain controller: GRNCDC01.na.corp.contoso.com Successfully mapped host/ Solaris_Workstation_Name.na.corp.contoso.com to Solaris_Workstation_Name. Key created. Output keytab to Solaris_Workstation_Name.keytab: Keytab version: 0x502 keysize 79 host/ Solaris_Workstation_Name.na.corp.contoso.com@NA.CORP.CONTOSO.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0e9bd5da314f5bad) Account Solaris_Workstation_Name has been set for DES-only encryption.
Using the keytab file Securely transfer keytab file from DC to client Use ktutil to import the file At the ktutil: prompt, type rkt Solaris_Workstation_Name.keytab At the ktutil: prompt, type wkt /etc/krb5/krb5.keytab
Configure pam.conf # Contoso's Kerberos Setup # # Authentication other auth sufficient pam_krb5.so.1 other auth sufficient pam_unix.so.1 use_first_pass # Password other password optional pam_krb5.so.1 try_first_pass other password required pam_unix.so.1 # Account other account optional pam_krb5.so.1 # session other session optional pam_krb5.so.1
Configure krb5.conf [libdefaults] default_realm = NA.CORP.CONTOSO.COM default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] NA.CORP.CONTOSO.COM = { kdc = grncdc01.na.corp.contoso.com admin_server = grncdc01.na.corp.contoso.com kpasswd_protocol = SET_CHANGE kpasswd_server = grncdc01.na.corp.contoso.com } [domain_realm] .na.corp.contoso.com = NA.CORP.CONTOSO.COM na.corp.contoso.com = NA.CORP.CONTOSO.COM ...
Success! Now that the *NX workstation is configured, user can logon with AD account and get Kerb tickets Use klist to see TGT TGT used to authenticate to apps What’s missing? AuthZ info, profile still stored locally Use nss_ldap to obtain account authorization and profile information from AD Need SFU or similar schema extension Delete /etc/passwd What? No PAC?
ADSI Active Directory Services Interface LDAP Windows Linux Application Application LDAP (V3) - RFC 2251 LDAP API - RFC 1831 LDAP search - RFC 2254 ADSI Active Directory Services Interface LDAP API LDAP API login pam OpenLDAP iPlanet ... nss_ldap LDAP Account Profile Groups Tel # Office # … Account Profile UID GID Home directory Groups …
Vintela Authentication Services UNIX/Linux security systems integrated into Active Directory users No synchronization between systems, all credentials reside within Active Directory Authentication and authorization through Kerberos UNIX Identity management using RFC 2307 schema Single login and password for mixed Windows, UNIX and Linux applications and resources All LDAP communication secured through Kerberos – no SSL overhead Single point of account management through Active Directory – Microsoft Management Console Immediate ROI to IT departments
demo Vintela – Joining Linux machine to AD domain
Joining a Linux machine to the AD Domain # /opt/vas/bin/vastool -p myadmin join teched.com techeddc.teched.com Now that’s easy!
demo Vintela – Create “Unix enabled” user
Creating a “Unix enabled” user Checkbox extension to MMC User & Computers snap-in Applies Vintela schema to AD for Unix-style authorization & profile information
demo Vintela – Domain login
Domain login Windows UPN-style login Deactivate account in AD, no login! Everything about the user lives in AD
Kerberos (MIT de-facto) SSPI and GSSAPI Client Token Server App Token Token Windows Linux SSPI LSA CAPI GSSAPI (“V2” RFC 2743) Kerberos (MIT de-facto) API RFC 1964 GSS Kerberos “Kerberos” “NTLM” RFC 2478 GSS SPNEGO “Negotiate” Kerberos RFC 1510 Mech Security Service Provider Interface Generic Security Service- Application Programming Interface
demo Vintela – Web logon with SPNEGO
SPNEGO web logon Vintela adds SPNEGO capability to Apache SSO from Windows & *NX clients Vintela also requests Windows PAC from Windows KDC Mozilla SPNEGO (TBD) plug-in will give SSO to IIS web server using Kerberos Because the PAC is there - result is Windows Integrated security context
Demo you will not see Mozilla->IIS Need Mozilla SPNEGO plug-in Available later this year from multiple vendors Vintela *does* provide Windows PAC
Conclusion Interoperability Benefits Kerberos 5 for authentication LDAP for authorization Benefits Single point of administration Fewer accounts to manage User account policy enforcement Protect user passwords Protect application data Single point of authorization Improve end-user experience (fewer ID/PW’s)
Identity Management Virtual Track For the IT Pro SEC400: UNIX & Kerberos Interop to Achieve Identity Mgmt DEP311: Identity Management with Microsoft Metadirectory Services WIN310: AD Branch Office with Windows Server 2003 ADM313: Managing Active Directory with MOM ADM314: Delegating Administrative Tasks in Active Directory For the Developer SEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC333: EAI Using SharePoint Portal Server WEB311: Windows Platform Security Services for Web Services
Ask The Experts Get Your Questions Answered I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue: 2 July – 13:00-15:00 4 July – 10:00-12:00
Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
VAS enables end users to utilize a single login account and password for access to critical systems and applications found in mixed Windows, UNIX® and Linux® environments. The time IT managers spend creating, modifying and removing user accounts are now reduced to a single action. Companies running Microsoft® Active Directory® can benefit from enhanced security and reduced management by extending these benefits to their business-critical UNIX and Linux applications. VAS addresses the problem of identity management in a fundamentally different way then anyone else in the market today. VAS integrates user accounts in Active Directory to authenticate to UNIX and Linux systems and applications in the same way as a Windows® XP system would communicate. The integration allows UNIX and Linux security to validate users credentials found in Active Directory. VAS is not synchronization. The authentication is transported over LDAP and made secure through Kerberos. Exactly the same way as Active Directory and XP communicate. The installation is simple and the benefits are immediately recognized.
Control through Integration Dave Wilson President Vintela Division 801.655.2612 dwilson@center7.com www.vintela.com sales@center7.com A Division of Center7, Inc.
Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx
evaluations
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.