Dynamic Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCSSlide 2
Aim How to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) frameworkSlide 3
What is Kerberos? Confirmation convention Not authorisation Client and server commonly validateSlide 4
Guest List Donald Duck Fred Smith Lucy Jones The Doctor Fred A. Stair Fred A. Stair Undergrad Cornflake College Authentication versus Authorisation Authenticated AuthorizedSlide 5
Why Kerberos? Single sign-on Centralized validation Strong encryption No passwords over the wireSlide 6
Kerberos in Oxford Herald WebLearn Apache/IIS webservers (by means of Webauth) eDirectory Active Directory Open DirectorySlide 7
So how can it work… ? Basic, truly…Slide 8
Like this…Slide 9
Trusted Third Party 1: A, B Client A Service B Basic Kerberos Functionality A B S B A 9Slide 10
Essential Terminology Principal — client or administration with accreditations Ticket — issued for access to an administration Key Distribution Center (KDC) — issues tickets for principals in a domain Realm — set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK TGT (ticket-giving ticket) — affirms character; used to get further tickets (Single Sign-on)Slide 11
Kerberos and Active Directory Kerberos 5 actualized in AD (with included… ) Every area is a Kerberos Realm Every space controller is a KDC Many administrations can utilize Kerberos CIFS, LDAP, HTTP Kerberos is favored over NTLM Trusts between Kerberos RealmsSlide 12
Integrating Active Directory with Oxford Kerberos Realm Configure Active Directory Kerberos domain to trust Oxford Kerberos domain for confirmation OX.AC.UK KDCs 1 2 Trust 3 Active Directory 4 OUCS.OX.AC.UK KDCs Client ASlide 13
Integrating Active Directory with Oxford Kerberos Realm Authorization: AD utilizes SID, not username to figure out what a client can do Usernames must exist in AD (Identity Management) Oxford usernames must be mapped to Active Directory clients fred@OUCS.OX.AC.UK fred@OX.AC.UKSlide 14
So what does this mean by and by? The "Good"... Utilize Oxford record to confirm to AD No compelling reason to issue passwords to new understudies every year Devolve secret key issues to OUCSSlide 15
Case Study St Hugh\'s College ~ 20 Public Access PCs ~ 6 00 Students, admission of ~120 every year Passwords were issued physically every year Integrated with Oxford KDCs Account creation streamlined by means of VB script Students utilize "Envoy" watchword Administrative overhead diminished for ITSSSlide 16
Case Study Language Center User base is entire college! Possibly 40000 clients Historically, all utilized one shared record Webauth in addition to Oxford SSO arrangement Users enroll for AD account by means of Webauth ensured webpage AD account produced on the fly Log into AD through the Oxford SSO arrangement "Envoy watchword" 16Slide 17
But… there are a few admonitions The "Bad"... Access from PCs not in area Including through web, e.g. Viewpoint WebAccess Some understudies don\'t have the foggiest idea about their Oxford secret word (approx 13%) Loss of outside network to focal KDCsSlide 18
...and a few issues The "Ugly"... Fallback confirmation is NTLM KDCs don\'t speak NTLM Some applications just speak NTLM Problems coordinating other working frameworks (OS X, other?)Slide 19
Summary Works extremely well in specific situations E.g. shared filestore for understudies Reduced regulatory overhead Not proper for all situations E.g. many administrations based on Active Directory (Exchange, Sharepoint, Web access to documents and so forth.) 19Slide 20
How would we set this up? Full points of interest are on the ITSS wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrustSlide 21
How would we set this up? Check time is in a state of harmony (all through space and to ntp source) See supplement for points of interest! 21Slide 22
How would we set this up? 2. Request a Kerberos main from the OUCS Systems Development group ( email@example.com ) krbtgt/FULL.AD.DOMAIN.NAME krbtgt/STHUGHS.OX.AC.UK krbtgt/ZOO.OX.AC.UKSlide 23
How would we set this up? 3. Change the watchword of the new principal (utilize linux.ox.ac.uk):Slide 24
How would we set this up? 4. Check time is in a state of harmonySlide 25
How would we set this up? 5. On all space controllers, part servers and workstations, introduce the Windows Support Tools and run: ksetup/addkdc OX.AC.UK kdc0.ox.ac.uk ksetup/addkdc OX.AC.UK kdc1.ox.ac.uk ksetup/addkdc OX.AC.UK kdc2.ox.ac.uk Or utilize a registry document/Group Policy (see wiki)Slide 26
How would we set this up?Slide 27
How would we set this up? 6. Make a restricted, active, transitive trust between the Kerberos domain OX.AC.UK and the Active Directory backwoods Use the secret word set in step 3.Slide 28
How would we set this up?Slide 29
How would we set this up? 7. Check time is in a state of harmonySlide 30
How would we set this up? 8. Include a name mapping for AD record to the Kerberos domain Format is oucs1234@OX.AC.UK Note capitalized OX.AC.UKSlide 31
How would we set this up?Slide 32
How would we set this up? 9. Reboot workstation and sign inSlide 33
Contact points of interest firstname.lastname@example.org email@example.comSlide 35
Some connections ITSS Wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust MIT: Designing an Authentication System: A Dialog in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html Microsoft: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx Kerberos: The Definitive Guide (Jason Garman/O\'Reilly) http://www.amazon.co.uk/Kerberos-Definitive-Guide-Jason-Garman/dp/0596004036/ref=sr_1_1/202-9173258-1666237?ie=UTF8&s=books&qid=1182273864&sr=8-1Slide 36
Appendix A — Utilities 2003 Resource Kit Utilities Kerbtray (GUI) Klist (charge line) Support Tools Utilities (from 2003 CD) Ksetup (order line) Ktpass (summon line)Slide 37
Kerbtray shows tickets Picture demonstrates TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UKSlide 38
Kerbtray Picture indicates tickets for administrations in Active Directory RealmSlide 39
Klist — as Kerbtray however summon lineSlide 40
Support Tools Ksetup Set up domain data E.g. set KDCs for a given domain Ktpass Manipulating principalsSlide 41
MIT Kerberos for Windows http://web.mit.edu/kerberos/dist/Another method for survey tickets Maintains its own particular ticket store Can import tickets from Microsoft reserve Some applications can utilize these ticketsSlide 42
Network Identity ManagerSlide 43
Appendix B — Additional Notes Time must be inside 5 minutes of KDC time Logon may bomb discontinuously if logon permitted before system completely instated (XP/2003) Group Policy setting Computer Configuration/Administrative Templates/System/Logon Enable setting " Always sit tight for system on PC startup or client logon " Terminal Services Patch http://support.microsoft.com/default.aspx?scid=KB;EN-US;902336Slide 44
Short History of Time All DCs match up to PDC emulator (programmed) Member servers and workstations synchronize to Domain Controllers (programmed) PDC emulator must be sync\'d to ntp source Must upgrade on the off chance that you move PDC emulator part w32tm/config/manualpeerlist: " ntpserver1 ntpserver2 ntpserver3 "/syncfromflags:manual/reliable:yes/redesign http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true 45Slide 45
Automated Account Creation OUCS can give daily overhaul of Oxford usernames and other data to every unit http://www.oucs.ox.ac.uk/enrollment/card_data_2006.xml.ID=body.1_div.9 Use scripts to bolster into Active Directory 46Slide 46
AS 1: A, TGS 2: A, B TGS Client A Service B Full Kerberos Functionality KDC — 2 sections AS: Authentication Server TGS: Ticket Granting Server A B C S C S KDC B A 47Slide 47
Other notes of intrigue Workstation confirms as well: issues for x-domain auth. DC devolution — KDC patches accessible Macs eDir preauth, timestamps, life expectancy of tickets and so forth 48Slide 48
Appendix C Use Wireshark to watch the Kerberos trade
Standard 47 Petitions. Beverly Flanagan Supervisory Petitions Analyst (703) 305-7202. 47(a) and ...
Client records are cloned to the Fermi Domain to keep up Beams Domain access. ... These are area ...
Opens another line or velocity dials the number on the LCD screen. ... Softkeys point to highlig ...
measuring street signs. Versatile Sign Retroreflectometer Van. The van utilizes ... retroreflect ...
Close down. Close down. Waterfall Approaches Lead To Wasted Time ...
Letters in order/Games. Kids have a less demanding time taking in their letter set ... You can p ...
Ritual of Christian Initiation of Adults: 1972. On Evangelization in the Modern World: 1976 ... ...
By Angel Abcede. Might 4, 2007. The Challenge. Might 4, 2007. Getting a client to change from .. ...
Befolkningsstruktur. Nico Keilman Demografi grunnemne ECON 1710 Høst 2008. Forelesninger ...
Triggers and Active Databases. CS561. Information in presentation based on VLDB’2000 “te ...
Hardening Active Directory Windows 2000/20003 Network Infrastructure. Presented by: James Pla ...
Comments regarding proposed Cobb County Sign Ordinance changes. Provided by Scenic Georgia, I ...
GAIA HYPOTHESIS. the idea of the Earth as a single living superorganism James Lovelock Gaia ...
What is Semiotics?. Semiotics is the investigation of signs. A sign is something that stands for ...
Report highlights. Lack of measured proof on the degree to which
Plan. 9-10 a.m. Overview10-11 a.m.Registry Concepts11 a.m.- noonDirectory StructureNoon-1 p.m.Lunch
Private examination college found 90 miles west of NYCApprox 4500 students and 1900 graduate stu ...
2. Plan. Solicitations are being sent to NIS SecurityNebraska Directory Services (NDS) entryway ...