Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC400 UNIX & Kerberos Interop to Achieve Identity Management

Published byBaldric Hardy Modified over 9 years ago

Similar presentations

Presentation on theme: "SEC400 UNIX & Kerberos Interop to Achieve Identity Management"— Presentation transcript:

1 SEC400 UNIX & Kerberos Interop to Achieve Identity Management
David Mowers Program Manager Microsoft Security Solutions

2 Agenda Identity and Access Management (I&AM) Issues
How Kerberos interop solves an identity management problem Interop standards and technologies Scenario & Demos *NX/AD Kerberos Sign-on *NX/AD Kerberos SSO Authentication vs Authorization Secure SSO and Authorization

3 Snapshot of I&AM Issues
BDM Complex identity infrastructure costs money Complex identity infrastructure is hard to extend to new business processes You invested in AD, what next? IT Pro How to centralize management of security principals? How to apply AD security policy to NX accounts? Developer Too many authentication mechanisms to choose from How to protect application data? Leverage centralized authorization store User Multiple User accounts Entering credentials multiple times

4 How Kerberos 5 Interop Helps to Solve I&AM Issues
IT Pro All users are managed in Active Directory AD has strong user policy enforcement User passwords safe in AD Developer Kerberos 5 available on most enterprise platforms Secure authentication Protect application data AD is single source of authorization data User Experience Authentication based on one user account in AD Transparent authentication to applications (SSO)

5 Kerberos RFC 1510 MIT de-facto Windows Linux GINA (login) Application
SSPI pam_krb5 GSSAPI kinit klist kdestroy kpasswd (MIT de-facto) Kerberos (MIT de-facto) LSA Credential (ticket) cache Service principal key table Default Credential (ticket) cache Default Service principal key table RFC 1510 AS - Authentication Service TGS - Ticket Granting Service MIT de-facto CPW - Change password service KRB

6 Kerberos configuration the hard way
Step 1: Create UNIX user accounts in Active Directory Step 2: Create UNIX workstation accounts in Active Directory Step 3: Create Keytab files for the UNIX workstations Step 4: Install the keytab file on the UNIX Workstation Step 5: Configure the pam.conf file Step 6: Configure the krb5.conf file

7 Creating the keytab file
ktpass -princ -mapuser Solaris_Workstation_Name -pass password -out Solaris_Workstation_Name.keytab

8 It worked… Targeting domain controller: GRNCDC01.na.corp.contoso.com
Successfully mapped host/ Solaris_Workstation_Name.na.corp.contoso.com to Solaris_Workstation_Name. Key created. Output keytab to Solaris_Workstation_Name.keytab: Keytab version: 0x502 keysize 79 host/ ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0e9bd5da314f5bad) Account Solaris_Workstation_Name has been set for DES-only encryption.

9 Using the keytab file Securely transfer keytab file from DC to client
Use ktutil to import the file At the ktutil: prompt, type rkt Solaris_Workstation_Name.keytab At the ktutil: prompt, type wkt /etc/krb5/krb5.keytab

10 Configure pam.conf # Contoso's Kerberos Setup # # Authentication
other auth sufficient pam_krb5.so.1 other auth sufficient pam_unix.so.1 use_first_pass # Password other password optional pam_krb5.so.1 try_first_pass other password required pam_unix.so.1 # Account other account optional pam_krb5.so.1 # session other session optional pam_krb5.so.1

11 Configure krb5.conf [libdefaults] default_realm = NA.CORP.CONTOSO.COM
default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] NA.CORP.CONTOSO.COM = { kdc = grncdc01.na.corp.contoso.com admin_server = grncdc01.na.corp.contoso.com kpasswd_protocol = SET_CHANGE kpasswd_server = grncdc01.na.corp.contoso.com } [domain_realm] .na.corp.contoso.com = NA.CORP.CONTOSO.COM na.corp.contoso.com = NA.CORP.CONTOSO.COM ...

12 Success! Now that the *NX workstation is configured, user can logon with AD account and get Kerb tickets Use klist to see TGT TGT used to authenticate to apps What’s missing? AuthZ info, profile still stored locally Use nss_ldap to obtain account authorization and profile information from AD Need SFU or similar schema extension Delete /etc/passwd What? No PAC?

13 ADSI Active Directory Services Interface
LDAP Windows Linux Application Application LDAP (V3) - RFC 2251 LDAP API - RFC 1831 LDAP search - RFC 2254 ADSI Active Directory Services Interface LDAP API LDAP API login pam OpenLDAP iPlanet ... nss_ldap LDAP Account Profile Groups Tel # Office # Account Profile UID GID Home directory Groups

14 Vintela Authentication Services
UNIX/Linux security systems integrated into Active Directory users No synchronization between systems, all credentials reside within Active Directory Authentication and authorization through Kerberos UNIX Identity management using RFC 2307 schema Single login and password for mixed Windows, UNIX and Linux applications and resources All LDAP communication secured through Kerberos – no SSL overhead Single point of account management through Active Directory – Microsoft Management Console Immediate ROI to IT departments

15 demo Vintela – Joining Linux machine to AD domain

16 Joining a Linux machine to the AD Domain
# /opt/vas/bin/vastool -p myadmin join teched.com techeddc.teched.com Now that’s easy!

17 demo Vintela – Create “Unix enabled” user

18 Creating a “Unix enabled” user
Checkbox extension to MMC User & Computers snap-in Applies Vintela schema to AD for Unix-style authorization & profile information

19 demo Vintela – Domain login

20 Domain login Windows UPN-style login
Deactivate account in AD, no login! Everything about the user lives in AD

21 Kerberos (MIT de-facto)
SSPI and GSSAPI Client Token Server App Token Token Windows Linux SSPI LSA CAPI GSSAPI (“V2” RFC 2743) Kerberos (MIT de-facto) API RFC 1964 GSS Kerberos “Kerberos” “NTLM” RFC 2478 GSS SPNEGO “Negotiate” Kerberos RFC 1510 Mech Security Service Provider Interface Generic Security Service- Application Programming Interface

22 demo Vintela – Web logon with SPNEGO

23 SPNEGO web logon Vintela adds SPNEGO capability to Apache
SSO from Windows & *NX clients Vintela also requests Windows PAC from Windows KDC Mozilla SPNEGO (TBD) plug-in will give SSO to IIS web server using Kerberos Because the PAC is there - result is Windows Integrated security context

24 Demo you will not see Mozilla->IIS Need Mozilla SPNEGO plug-in
Available later this year from multiple vendors Vintela *does* provide Windows PAC

25 Conclusion Interoperability Benefits Kerberos 5 for authentication
LDAP for authorization Benefits Single point of administration Fewer accounts to manage User account policy enforcement Protect user passwords Protect application data Single point of authorization Improve end-user experience (fewer ID/PW’s)

26 Identity Management Virtual Track
For the IT Pro SEC400: UNIX & Kerberos Interop to Achieve Identity Mgmt DEP311: Identity Management with Microsoft Metadirectory Services  WIN310: AD Branch Office with Windows Server 2003 ADM313: Managing Active Directory with MOM ADM314: Delegating Administrative Tasks in Active Directory For the Developer SEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC333: EAI Using SharePoint Portal Server WEB311: Windows Platform Security Services for Web Services

27 Ask The Experts Get Your Questions Answered
I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue: 2 July – 13:00-15:00 4 July – 10:00-12:00

28 Community Resources Community Resources
Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

29 VAS enables end users to utilize a single login account and password for access to critical systems and applications found in mixed Windows, UNIX® and Linux® environments. The time IT managers spend creating, modifying and removing user accounts are now reduced to a single action. Companies running Microsoft® Active Directory® can benefit from enhanced security and reduced management by extending these benefits to their business-critical UNIX and Linux applications. VAS addresses the problem of identity management in a fundamentally different way then anyone else in the market today. VAS integrates user accounts in Active Directory to authenticate to UNIX and Linux systems and applications in the same way as a Windows® XP system would communicate. The integration allows UNIX and Linux security to validate users credentials found in Active Directory. VAS is not synchronization. The authentication is transported over LDAP and made secure through Kerberos. Exactly the same way as Active Directory and XP communicate. The installation is simple and the benefits are immediately recognized.

30 Control through Integration
Dave Wilson President Vintela Division A Division of Center7, Inc.

31 Community Resources Community Resources
Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

32 evaluations

33 © 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "SEC400 UNIX & Kerberos Interop to Achieve Identity Management"

Similar presentations

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.

Windows Server 2008 Kerberos Michiko Short Program Manager Microsoft Corporation.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.

UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Understanding Active Directory

Understanding Active Directory
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.

Walter Pitrof Technology Solution Professional Microsoft Switzerland Backup, Restore und Disaster Recovery mit Data Protection Manager 2012 Philipp Witschi.
Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.

Windows ® Powered NAS. Agenda Windows Powered NAS Windows Powered NAS Key Technologies in Windows Powered NAS Key Technologies in Windows Powered NAS.
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google