Dynamic Catalog and Oxford Single Sign-On.

Uploaded on:
Step by step instructions to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) base ... Donald Duck. Fred Smith. Lucy Jones. The Doctor. Fred A. Stair ...
Slide 1

Dynamic Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS

Slide 2

Aim How to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) base

Slide 3

What is Kerberos? Confirmation convention Not authorisation Client and server commonly verify

Slide 4

Guest List Donald Duck Fred Smith Lucy Jones The Doctor Fred A. Stair Fred A. Stair Undergrad Cornflake College Authentication versus Authorisation  Authenticated Authorized

Slide 5

Why Kerberos? Single sign-on Centralized validation Strong encryption No passwords over the wire

Slide 6

Kerberos in Oxford Herald WebLearn Apache/IIS webservers (by means of Webauth) eDirectory Active Directory Open Directory

Slide 7

So how can it work… ? Straightforward, truly…

Slide 8

Like this…

Slide 9

Trusted Third Party 1: A, B Client A Service B Basic Kerberos Functionality A B S B A 9

Slide 10

Essential Terminology Principal — client or administration with qualifications Ticket — issued for access to an administration Key Distribution Center (KDC) — issues tickets for principals in a domain Realm — set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK TGT (ticket-conceding ticket) — affirms character; used to acquire further tickets (Single Sign-on)

Slide 11

Kerberos and Active Directory Kerberos 5 actualized in AD (with included… ) Every space is a Kerberos Realm Every area controller is a KDC Many administrations can utilize Kerberos CIFS, LDAP, HTTP Kerberos is favored over NTLM Trusts between Kerberos Realms

Slide 12

Integrating Active Directory with Oxford Kerberos Realm Configure Active Directory Kerberos domain to trust Oxford Kerberos domain for confirmation OX.AC.UK KDCs 1 2 Trust 3 Active Directory 4 OUCS.OX.AC.UK KDCs Client A

Slide 13

Integrating Active Directory with Oxford Kerberos Realm Authorization: AD utilizes SID, not username to figure out what a client can do Usernames must exist in AD (Identity Management) Oxford usernames must be mapped to Active Directory clients fred@OUCS.OX.AC.UK fred@OX.AC.UK

Slide 14

So what does this mean by and by? The "Good"... Use Oxford record to validate to AD No compelling reason to issue passwords to new understudies every year Devolve secret word issues to OUCS

Slide 15

Case Study St Hugh\'s College ~ 20 Public Access PCs ~ 6 00 Students, admission of ~120 every year Passwords were issued physically every year Integrated with Oxford KDCs Account creation disentangled through VB script Students use "Messenger" watchword Administrative overhead decreased for ITSS

Slide 16

Case Study Language Center User base is entire college! Conceivably 40000 clients Historically, all utilized one shared record Webauth in addition to Oxford SSO arrangement Users register for AD account by means of Webauth ensured webpage AD account produced on the fly Log into AD by means of the Oxford SSO arrangement "Messenger secret word" 16

Slide 17

But… there are a few admonitions The "Bad"... Access from PCs not in area Including by means of web, e.g. Standpoint WebAccess Some understudies don\'t have the foggiest idea about their Oxford secret word (approx 13%) Loss of outside network to focal KDCs

Slide 18

...and a few issues The "Ugly"... Fallback validation is NTLM KDCs don\'t speak NTLM Some applications just speak NTLM Problems incorporating other working frameworks (OS X, other?)

Slide 19

Summary Works extremely well in specific situations E.g. shared filestore for understudies Reduced authoritative overhead Not fitting for all situations E.g. numerous administrations based on Active Directory (Exchange, Sharepoint, Web access to documents and so on.) 19

Slide 20

How would we set this up? Full points of interest are on the ITSS wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust

Slide 21

How would we set this up? Check time is in a state of harmony (all through area and to ntp source) See informative supplement for subtle elements! 21

Slide 22

How would we set this up? 2. Request a Kerberos important from the OUCS Systems Development group ( sysdev@oucs.ox.ac.uk ) krbtgt/FULL.AD.DOMAIN.NAME krbtgt/STHUGHS.OX.AC.UK krbtgt/ZOO.OX.AC.UK

Slide 23

How would we set this up? 3. Change the watchword of the new principal (use linux.ox.ac.uk):

Slide 24

How would we set this up? 4. Check time is in a state of harmony

Slide 25

How would we set this up? 5. On all space controllers, part servers and workstations, introduce the Windows Support Tools and run: ksetup/addkdc OX.AC.UK kdc0.ox.ac.uk ksetup/addkdc OX.AC.UK kdc1.ox.ac.uk ksetup/addkdc OX.AC.UK kdc2.ox.ac.uk Or utilize a registry document/Group Policy (see wiki)

Slide 26

How would we set this up?

Slide 27

How would we set this up? 6. Make a restricted, active, transitive trust between the Kerberos domain OX.AC.UK and the Active Directory timberland Use the secret word set in step 3.

Slide 28

How would we set this up?

Slide 29

How would we set this up? 7. Check time is in a state of harmony

Slide 30

How would we set this up? 8. Include a name mapping for AD record to the Kerberos domain Format is oucs1234@OX.AC.UK Note capitalized OX.AC.UK

Slide 31

How would we set this up?

Slide 32

How would we set this up? 9. Reboot workstation and log in

Slide 33


Slide 34

Contact subtle elements bridget.lewis@ict.ox.ac.uk adrian.parks@oucs.ox.ac.uk

Slide 35

Some connections ITSS Wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust MIT: Designing an Authentication System: A Dialog in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html Microsoft: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx Kerberos: The Definitive Guide (Jason Garman/O\'Reilly) http://www.amazon.co.uk/Kerberos-Definitive-Guide-Jason-Garman/dp/0596004036/ref=sr_1_1/202-9173258-1666237?ie=UTF8&s=books&qid=1182273864&sr=8-1

Slide 36

Appendix A — Utilities 2003 Resource Kit Utilities Kerbtray (GUI) Klist (summon line) Support Tools Utilities (from 2003 CD) Ksetup (order line) Ktpass (charge line)

Slide 37

Kerbtray shows tickets Picture indicates TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UK

Slide 38

Kerbtray Picture demonstrates tickets for administrations in Active Directory Realm

Slide 39

Klist — as Kerbtray yet summon line

Slide 40

Support Tools Ksetup Set up domain data E.g. set KDCs for a given domain Ktpass Manipulating principals

Slide 41

MIT Kerberos for Windows http://web.mit.edu/kerberos/dist/Another method for survey tickets Maintains its own particular ticket store Can import tickets from Microsoft reserve Some applications can utilize these tickets

Slide 42

Network Identity Manager

Slide 43

Appendix B — Additional Notes Time must be inside 5 minutes of KDC time Logon may fall flat irregularly if logon permitted before system completely instated (XP/2003) Group Policy setting Computer Configuration/Administrative Templates/System/Logon Enable setting " Always sit tight for system on PC startup or client logon " Terminal Services Patch http://support.microsoft.com/default.aspx?scid=KB;EN-US;902336

Slide 44

Short History of Time All DCs sync to PDC emulator (programmed) Member servers and workstations sync to Domain Controllers (programmed) PDC emulator must be sync\'d to ntp source Must redesign in the event that you move PDC emulator part w32tm/config/manualpeerlist: " ntpserver1 ntpserver2 ntpserver3 "/syncfromflags:manual/reliable:yes/overhaul http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true 45

Slide 45

Automated Account Creation OUCS can give daily upgrade of Oxford usernames and other data to every unit http://www.oucs.ox.ac.uk/enlistment/card_data_2006.xml.ID=body.1_div.9 Use scripts to nourish into Active Directory 46

Slide 46

AS 1: A, TGS 2: A, B TGS Client A Service B Full Kerberos Functionality KDC — 2 sections AS: Authentication Server TGS: Ticket Granting Server A B C S C S KDC B A 47

Slide 47

Other notes of interest Workstation validates as well: issues for x-domain auth. DC devolution — KDC patches accessible Macs eDir preauth, timestamps, lifespan of tickets and so forth 48

Slide 48

Appendix C Use Wireshark to watch the Kerberos trade

View more...