Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.

Published byGrant Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation."— Presentation transcript:

1 Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation

2 Agenda What’s New in Windows Vista and Windows Server 2008 Kerberos Tools Updates Configuring Interoperability with Windows

3 What’s New AES Support – AES256-CTS-HMAC-SHA1-96 [17] – AES128-CTS-HMAC-SHA1-96 [18] IPv6 support Support for Read Only Domain Controller (RODC) KDC returns encryption types supported by server or service Group Policy Support for Realm & Host-to-Realm settings

4 Kerberos AES Support ClientServerKDC Down-level Server 2008 TGT may be encrypted with AES if necessary based on policy Down-levelVistaServer 2008 Service ticket encryption in AES Vista Server 2008 All messages in AES Vista Down-level GSS encryption in AES VistaDown-levelServer 2008 AS-REQ/REP, TGS-REQ/REP in AES. Down-levelVistaDown-level No AES VistaDown-level No AES Down-level No AES For TGTs to be AES the domain must be Windows Server 2008 Functional Level.

5 PKInit Support for PA_PK_AS_REQ [16] & PA_PK_AS_REP [17] Support for Sha-1 Microsoft Confidential

6 Smart Card Support Changes Windows Server 2008 KDCs do not require the Smart Card OID User Certificates can be mapped by – UPN (supported down-level) – X.509 name – Certificate thumbprint – Subject key identifier – E-mail name

7 Kerberos Resources Kerberos: http://www.microsoft.com/kerberoshttp://www.microsoft.com/kerberos Windows Vista Authentication Features: http://technet2.microsoft.com/WindowsServer2008/ en/library/f632de29-a36e-4d82-a169- 2b180deb638b1033.mspx http://technet2.microsoft.com/WindowsServer2008/ en/library/f632de29-a36e-4d82-a169- 2b180deb638b1033.mspx MSDN Authentication: http://msdn2.microsoft.com/en- us/library/aa374735.aspx http://msdn2.microsoft.com/en- us/library/aa374735.aspx

8 Updated Tools Kerberos Setup (ksetup.exe) Kerberos Keytab Setup (ktpass.exe) SetSPN.exe

9 New to ksetup.exe /AddHostToRealmMap /DelHostToRealmMap /SetEncTypeAttr /GetEncTypeAttr /AddEncTypeAttr /DelEncTypeAttr

10 New to ktpass.exe [- /] crypto: All: All supported types

11 New to SetSPN.exe -F = perform the duplicate checking on forestwide level -P = do not show progress (useful for redirecting output to file) -S = add arbitrary SPN after verifying no duplicates exist -X = search for duplicate SPNs

12 Non-Windows Clients in Domains 1.Create new user account for host in AD – Enable AES256, if supported 2.On DC, create keytab file with ktpass 3.On host 1.Merge keytab file w/ existing 2.Edit krb5.conf to refer to DC as the Kerberos KDC 4.On both host and DC, ensure clocks are synchronized

13 Non-Windows Services in Domains 1.Create new user account for the service in AD Enable AES256, if supported 2.On DC, create keytab file with ktpass 3.On host, merge keytab file w/ existing keytab file on the host

14 Windows Clients in Realms 1.On KDC, create host principal 2.On Windows client, configure with realm settings using ksetup – Set Realm – Add KDC and Kpasswd Server (optional) If not specified, uses DNS SRV lookup – Set machine password 3.Restart client 4.On Windows client, configure account mappings

15 Trusts 1.On DC, configure realm with ksetup 2.On DC, create domain trust with AD Domains and Trusts MMC – If supported, enable AES256 3.On KDC, use kadmin to create cross-realm principals 4.If desired, create account mappings with AD Users and Computers MMC Advanced Features

16 Kerberos Resources Kerberos: http://www.microsoft.com/kerberoshttp://www.microsoft.com/kerberos Solution Guide for Windows Security and Directory Services for UNIX: http://www.microsoft.com/downloads/details.aspx?F amilyId=144F7B82-65CF-4105-B60C- 44515299797D&displaylang=en http://www.microsoft.com/downloads/details.aspx?F amilyId=144F7B82-65CF-4105-B60C- 44515299797D&displaylang=en Step-by-Step Guide to Kerberos Interoperability for Windows Server 2003 Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability for Windows 2000: http://technet.microsoft.com/en- us/library/bb742433.aspx http://technet.microsoft.com/en- us/library/bb742433.aspx

17 Summary What’s New in Windows Vista and Windows Server 2008 Kerberos Tools Updates Configuring Interoperability with Windows

Download ppt "Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation."

Similar presentations

The following is intended to outline our general product direction

The following is intended to outline our general product direction
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Technical Services & Operations WINDOWS 2008 R2 AD / DC UPGRADE PROJECT.

Technical Services & Operations WINDOWS 2008 R2 AD / DC UPGRADE PROJECT.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Chapter 4 Introduction to Active Directory and Account Management

Chapter 4 Introduction to Active Directory and Account Management
Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and.NET Oracle.

Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and.NET Oracle.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.

SAGE Computing Services Consulting and customised training workshops Active Directory Integration AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior.

Similar presentations

Ads by Google