21st June 2007 .

Uploaded on:
Point. Step by step instructions to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) framework. What is Kerberos?. Validation convention Not authorisationClient and server commonly verify. 3. Validation versus Authorisation. ?. ?. Confirmed. Approved. 4. Why Kerberos?. Single sign-onCentralised authenticationStrong encryptionNo passwords over the wire.
Slide 1

Dynamic Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS

Slide 2

Aim How to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) framework

Slide 3

What is Kerberos? Confirmation convention Not authorisation Client and server commonly validate

Slide 4

Guest List Donald Duck Fred Smith Lucy Jones The Doctor Fred A. Stair Fred A. Stair Undergrad Cornflake College Authentication versus Authorisation  Authenticated Authorized

Slide 5

Why Kerberos? Single sign-on Centralized validation Strong encryption No passwords over the wire

Slide 6

Kerberos in Oxford Herald WebLearn Apache/IIS webservers (by means of Webauth) eDirectory Active Directory Open Directory

Slide 7

So how can it work… ? Basic, truly…

Slide 8

Like this…

Slide 9

Trusted Third Party 1: A, B Client A Service B Basic Kerberos Functionality A B S B A 9

Slide 10

Essential Terminology Principal — client or administration with accreditations Ticket — issued for access to an administration Key Distribution Center (KDC) — issues tickets for principals in a domain Realm — set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK TGT (ticket-giving ticket) — affirms character; used to get further tickets (Single Sign-on)

Slide 11

Kerberos and Active Directory Kerberos 5 actualized in AD (with included… ) Every area is a Kerberos Realm Every space controller is a KDC Many administrations can utilize Kerberos CIFS, LDAP, HTTP Kerberos is favored over NTLM Trusts between Kerberos Realms

Slide 12

Integrating Active Directory with Oxford Kerberos Realm Configure Active Directory Kerberos domain to trust Oxford Kerberos domain for confirmation OX.AC.UK KDCs 1 2 Trust 3 Active Directory 4 OUCS.OX.AC.UK KDCs Client A

Slide 13

Integrating Active Directory with Oxford Kerberos Realm Authorization: AD utilizes SID, not username to figure out what a client can do Usernames must exist in AD (Identity Management) Oxford usernames must be mapped to Active Directory clients fred@OUCS.OX.AC.UK fred@OX.AC.UK

Slide 14

So what does this mean by and by? The "Good"... Utilize Oxford record to confirm to AD No compelling reason to issue passwords to new understudies every year Devolve secret key issues to OUCS

Slide 15

Case Study St Hugh\'s College ~ 20 Public Access PCs ~ 6 00 Students, admission of ~120 every year Passwords were issued physically every year Integrated with Oxford KDCs Account creation streamlined by means of VB script Students utilize "Envoy" watchword Administrative overhead diminished for ITSS

Slide 16

Case Study Language Center User base is entire college! Possibly 40000 clients Historically, all utilized one shared record Webauth in addition to Oxford SSO arrangement Users enroll for AD account by means of Webauth ensured webpage AD account produced on the fly Log into AD through the Oxford SSO arrangement "Envoy watchword" 16

Slide 17

But… there are a few admonitions The "Bad"... Access from PCs not in area Including through web, e.g. Viewpoint WebAccess Some understudies don\'t have the foggiest idea about their Oxford secret word (approx 13%) Loss of outside network to focal KDCs

Slide 18

...and a few issues The "Ugly"... Fallback confirmation is NTLM KDCs don\'t speak NTLM Some applications just speak NTLM Problems coordinating other working frameworks (OS X, other?)

Slide 19

Summary Works extremely well in specific situations E.g. shared filestore for understudies Reduced regulatory overhead Not proper for all situations E.g. many administrations based on Active Directory (Exchange, Sharepoint, Web access to documents and so forth.) 19

Slide 20

How would we set this up? Full points of interest are on the ITSS wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust

Slide 21

How would we set this up? Check time is in a state of harmony (all through space and to ntp source) See supplement for points of interest! 21

Slide 22

How would we set this up? 2. Request a Kerberos main from the OUCS Systems Development group ( sysdev@oucs.ox.ac.uk ) krbtgt/FULL.AD.DOMAIN.NAME krbtgt/STHUGHS.OX.AC.UK krbtgt/ZOO.OX.AC.UK

Slide 23

How would we set this up? 3. Change the watchword of the new principal (utilize linux.ox.ac.uk):

Slide 24

How would we set this up? 4. Check time is in a state of harmony

Slide 25

How would we set this up? 5. On all space controllers, part servers and workstations, introduce the Windows Support Tools and run: ksetup/addkdc OX.AC.UK kdc0.ox.ac.uk ksetup/addkdc OX.AC.UK kdc1.ox.ac.uk ksetup/addkdc OX.AC.UK kdc2.ox.ac.uk Or utilize a registry document/Group Policy (see wiki)

Slide 26

How would we set this up?

Slide 27

How would we set this up? 6. Make a restricted, active, transitive trust between the Kerberos domain OX.AC.UK and the Active Directory backwoods Use the secret word set in step 3.

Slide 28

How would we set this up?

Slide 29

How would we set this up? 7. Check time is in a state of harmony

Slide 30

How would we set this up? 8. Include a name mapping for AD record to the Kerberos domain Format is oucs1234@OX.AC.UK Note capitalized OX.AC.UK

Slide 31

How would we set this up?

Slide 32

How would we set this up? 9. Reboot workstation and sign in

Slide 33


Slide 34

Contact points of interest bridget.lewis@ict.ox.ac.uk adrian.parks@oucs.ox.ac.uk

Slide 35

Some connections ITSS Wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust MIT: Designing an Authentication System: A Dialog in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html Microsoft: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx Kerberos: The Definitive Guide (Jason Garman/O\'Reilly) http://www.amazon.co.uk/Kerberos-Definitive-Guide-Jason-Garman/dp/0596004036/ref=sr_1_1/202-9173258-1666237?ie=UTF8&s=books&qid=1182273864&sr=8-1

Slide 36

Appendix A — Utilities 2003 Resource Kit Utilities Kerbtray (GUI) Klist (charge line) Support Tools Utilities (from 2003 CD) Ksetup (order line) Ktpass (summon line)

Slide 37

Kerbtray shows tickets Picture demonstrates TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UK

Slide 38

Kerbtray Picture indicates tickets for administrations in Active Directory Realm

Slide 39

Klist — as Kerbtray however summon line

Slide 40

Support Tools Ksetup Set up domain data E.g. set KDCs for a given domain Ktpass Manipulating principals

Slide 41

MIT Kerberos for Windows http://web.mit.edu/kerberos/dist/Another method for survey tickets Maintains its own particular ticket store Can import tickets from Microsoft reserve Some applications can utilize these tickets

Slide 42

Network Identity Manager

Slide 43

Appendix B — Additional Notes Time must be inside 5 minutes of KDC time Logon may bomb discontinuously if logon permitted before system completely instated (XP/2003) Group Policy setting Computer Configuration/Administrative Templates/System/Logon Enable setting " Always sit tight for system on PC startup or client logon " Terminal Services Patch http://support.microsoft.com/default.aspx?scid=KB;EN-US;902336

Slide 44

Short History of Time All DCs match up to PDC emulator (programmed) Member servers and workstations synchronize to Domain Controllers (programmed) PDC emulator must be sync\'d to ntp source Must upgrade on the off chance that you move PDC emulator part w32tm/config/manualpeerlist: " ntpserver1 ntpserver2 ntpserver3 "/syncfromflags:manual/reliable:yes/redesign http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true 45

Slide 45

Automated Account Creation OUCS can give daily overhaul of Oxford usernames and other data to every unit http://www.oucs.ox.ac.uk/enrollment/card_data_2006.xml.ID=body.1_div.9 Use scripts to bolster into Active Directory 46

Slide 46

AS 1: A, TGS 2: A, B TGS Client A Service B Full Kerberos Functionality KDC — 2 sections AS: Authentication Server TGS: Ticket Granting Server A B C S C S KDC B A 47

Slide 47

Other notes of intrigue Workstation confirms as well: issues for x-domain auth. DC devolution — KDC patches accessible Macs eDir preauth, timestamps, life expectancy of tickets and so forth 48

Slide 48

Appendix C Use Wireshark to watch the Kerberos trade

View more...