Presentation is loading. Please wait.

Presentation is loading. Please wait.

Company LOGO January 24 th, 2007 PC Manager Meeting.

Published byTimothy Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "Company LOGO January 24 th, 2007 PC Manager Meeting."— Presentation transcript:

1 Company LOGO January 24 th, 2007 PC Manager Meeting

2 Today  Updates  Next Meeting  Training  License  Jinitiator Upgrade  Meeting Maker  Windows Policy  Security  get_cert Replacement, A Look At NetIDMgr– Jack Schmidt

3 Next Meeting  February 28th  Key Management Service

4 Training Update  Understanding and Using Digital Certificates (PKI) Feb 15th, 2007 Understanding and Using Digital Certificates (PKI) Feb 15th, 2007  Excel 2003: Advanced Feb. 27 & March 1, 2007 (am only) Excel 2003: Advanced Feb. 27 & March 1, 2007 (am only)  Word 2003: Advanced Feb. 27 & March 1, 2007 (pm only) Word 2003: Advanced Feb. 27 & March 1, 2007 (pm only)

5 Licensing  EA Training vouchers expire March/April  FNAL Website: http://www-css.fnal.gov/csg/licensing/training/  Help redeeming Training Vouchers: licensemgr@fnal.gov Div/SecDaysDiv/SecDays AD16D00 MIS5ESH1 CD17FESS4 CDF1PPD4 TD5

6 Jinitiator  Update required for DST compliance Feb/Mar 2007 timeframe  See PC Manager archives for detailed email.  MIS package available for download or via SMS  Instructions available at: http://bss-support.fnal.gov/Products/SNP_BOOK.nsf/Ref/712114619

7 Meeting Maker MMCO  Microsoft DST patch (KB928388) breaks Outlook connector  The error displayed is "Cannot connect to current session“  Working with vendor. Don’t install DST patch on systems with outlook connector for now.  If the DST patch is already installed on your computer it can be uninstalled to return MMCO functionality.

8 Meeting Maker 8.6  MM Upgrade mandatory?  Does it correct DST problem with MMCO?  Required for DST time change?  Full upgrade:  MM server, MM Native client, MM web server, MM MMCO server, MM MMCO client  MM Upgrade changes Sync tool. Requires a new server with a Web component and database component  Working with Meeting Maker and Notify link to answer questions.

9 Windows Policy Committee  Vista Update  Updating baseline  KMS up and validating systems!  Working out issues (documentation, SRV records)  Testing new GPOs in Fermibeta  Vista-users mail list  Next Meeting Feb 7 th 1:30-2:30pm, WH5SW

10 Security Updates  MANDATORY Patches:  MS07-004  Due Date: 1-19-2007  RECOMMENDED Patches:  Due Date: 2-15-2007  The following is a link to the January Microsoft list of critical and important patches. http://www.microsoft.com/technet/security/ bulletin/ms07-jan.mspx http://www.microsoft.com/technet/security/ bulletin/ms07-jan.mspx

11 Security Updates  New Fermi Windows CD available soon!

12 Main Topic  NetIDMgr – Jack Schmidt

13 Agenda  Background  Definitions  Requirements  Solution  Demo  Rollout

14 Background  Kerberos has provided good central supported service for telnet, ftp, etc  Unfortunately many applications are unlikely to be Kerberized  Multiplicity of passwords not solved by Kerberos, still need some single sign on mechanism for applications  We need to choose a mechanism to establish identity for other apps

15 Definitions (sorry)  Public Key Encryption  Asymmetric encryption: public key and private key  PKI Public Key Infrastructure  A system of public key encryption using digital certificates from Certificate Authorities that verify and authenticate the validity of each party involved in an electronic transaction.  Digital Certificate  Includes your name, serial number, expiration dates, your public key, digital signature of the CA

16 Definitions  CA: Certificate Authority  verify the identity of entities and issue digital certificates attesting to that identity.  X.509 is the international standard for Digital Certificates (not all conform)

17 Definitions  KCA: Kerberos Certificate Authority  Leverages Kerberos authentication infrastructure  Short-lived (current ticket lifetime up to 7 days)  Requires FNAL realm Kerberos principal  kx509 is a client program that talks to the KCA to obtain a short-lived X.509 certificate

18 Motivation To Use Certificates  Single sign on for applications  Eliminate application passwords in clear  Attacks are moving more toward applications rather than OS  Central revocation of authorization  Allows centralized auditing of user accounts  Next slide indicates scope of problem with clear passwords

19 Inbound passwords in clear text

20 Benefits  KCA Certs  Strong identity verification  Read or publish information  User privileges can be revoked  No password vulnerability  Restricts usage to FNAL only  Requires frequent renewal

21 Strategy  Move to single sign on by adopting certificates for all applications  Build get_cert tools for each OS

22 Get_cert  Windows users find current implementation a bit klunky  Issue with logon name

23 Replacement Tool Requirements  On login to FERMI domain or via ‘user’@FNAL.GOV  Automatically get FNAL.GOV ticket  Automatically get KCA certificate and load into supported browsers*  Use existing krb5.conf  One place to change passwords  Ease of credential renew  Code must be supportable

24 Solution  Pay Company to build new tool http://www.secure-endpoints.com  Use existing NetIDMgr/KFW software  Create kca plugin  Comes with AFS plugin!  Maintained Opensource  W2000/XP/Vista support  Terminal Server support

25 Take a spin…

26 Rollout  FNAL package available on pseekits \\pseekits\desktoptools\netidmgr  SMS package available for distribution  Requires AFS 1.5.14  MSI can be installed via SMS  Issue if existing version installed via.EXE

27 AFS Tip!  Don’t mount drives via AFS Control Panel!  Map Network Drive and UNC path \\afs\fnal.gov \\afs\fnal.gov

28 References  Cd-doc-1380. CD Briefing on SSL Certificates, March 2006, Mark Leininger & Jack Schmidt Cd-doc-1380  NetIDMgr User Documentation (pdf) NetIDMgr User Documentationpdf  Kerberos For Windows Kerberos For Windows  OpenAFS for Windows OpenAFS for Windows

Download ppt "Company LOGO January 24 th, 2007 PC Manager Meeting."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...

Certificates, Browsers & You: What is all this certificate crud? Frank J. Nagy God of Kerberos And Associates...
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Similar presentations

Ads by Google