Dynamic Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCSSlide 2
Aim How to connection Active Directory to the Oxford Kerberos Single sign-on (SSO) baseSlide 3
What is Kerberos? Confirmation convention Not authorisation Client and server commonly verifySlide 4
Guest List Donald Duck Fred Smith Lucy Jones The Doctor Fred A. Stair Fred A. Stair Undergrad Cornflake College Authentication versus Authorisation Authenticated AuthorizedSlide 5
Why Kerberos? Single sign-on Centralized validation Strong encryption No passwords over the wireSlide 6
Kerberos in Oxford Herald WebLearn Apache/IIS webservers (by means of Webauth) eDirectory Active Directory Open DirectorySlide 7
So how can it work… ? Straightforward, truly…Slide 8
Like this…Slide 9
Trusted Third Party 1: A, B Client A Service B Basic Kerberos Functionality A B S B A 9Slide 10
Essential Terminology Principal — client or administration with qualifications Ticket — issued for access to an administration Key Distribution Center (KDC) — issues tickets for principals in a domain Realm — set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK TGT (ticket-conceding ticket) — affirms character; used to acquire further tickets (Single Sign-on)Slide 11
Kerberos and Active Directory Kerberos 5 actualized in AD (with included… ) Every space is a Kerberos Realm Every area controller is a KDC Many administrations can utilize Kerberos CIFS, LDAP, HTTP Kerberos is favored over NTLM Trusts between Kerberos RealmsSlide 12
Integrating Active Directory with Oxford Kerberos Realm Configure Active Directory Kerberos domain to trust Oxford Kerberos domain for confirmation OX.AC.UK KDCs 1 2 Trust 3 Active Directory 4 OUCS.OX.AC.UK KDCs Client ASlide 13
Integrating Active Directory with Oxford Kerberos Realm Authorization: AD utilizes SID, not username to figure out what a client can do Usernames must exist in AD (Identity Management) Oxford usernames must be mapped to Active Directory clients fred@OUCS.OX.AC.UK fred@OX.AC.UKSlide 14
So what does this mean by and by? The "Good"... Use Oxford record to validate to AD No compelling reason to issue passwords to new understudies every year Devolve secret word issues to OUCSSlide 15
Case Study St Hugh\'s College ~ 20 Public Access PCs ~ 6 00 Students, admission of ~120 every year Passwords were issued physically every year Integrated with Oxford KDCs Account creation disentangled through VB script Students use "Messenger" watchword Administrative overhead decreased for ITSSSlide 16
Case Study Language Center User base is entire college! Conceivably 40000 clients Historically, all utilized one shared record Webauth in addition to Oxford SSO arrangement Users register for AD account by means of Webauth ensured webpage AD account produced on the fly Log into AD by means of the Oxford SSO arrangement "Messenger secret word" 16Slide 17
But… there are a few admonitions The "Bad"... Access from PCs not in area Including by means of web, e.g. Standpoint WebAccess Some understudies don\'t have the foggiest idea about their Oxford secret word (approx 13%) Loss of outside network to focal KDCsSlide 18
...and a few issues The "Ugly"... Fallback validation is NTLM KDCs don\'t speak NTLM Some applications just speak NTLM Problems incorporating other working frameworks (OS X, other?)Slide 19
Summary Works extremely well in specific situations E.g. shared filestore for understudies Reduced authoritative overhead Not fitting for all situations E.g. numerous administrations based on Active Directory (Exchange, Sharepoint, Web access to documents and so on.) 19Slide 20
How would we set this up? Full points of interest are on the ITSS wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrustSlide 21
How would we set this up? Check time is in a state of harmony (all through area and to ntp source) See informative supplement for subtle elements! 21Slide 22
How would we set this up? 2. Request a Kerberos important from the OUCS Systems Development group ( email@example.com ) krbtgt/FULL.AD.DOMAIN.NAME krbtgt/STHUGHS.OX.AC.UK krbtgt/ZOO.OX.AC.UKSlide 23
How would we set this up? 3. Change the watchword of the new principal (use linux.ox.ac.uk):Slide 24
How would we set this up? 4. Check time is in a state of harmonySlide 25
How would we set this up? 5. On all space controllers, part servers and workstations, introduce the Windows Support Tools and run: ksetup/addkdc OX.AC.UK kdc0.ox.ac.uk ksetup/addkdc OX.AC.UK kdc1.ox.ac.uk ksetup/addkdc OX.AC.UK kdc2.ox.ac.uk Or utilize a registry document/Group Policy (see wiki)Slide 26
How would we set this up?Slide 27
How would we set this up? 6. Make a restricted, active, transitive trust between the Kerberos domain OX.AC.UK and the Active Directory timberland Use the secret word set in step 3.Slide 28
How would we set this up?Slide 29
How would we set this up? 7. Check time is in a state of harmonySlide 30
How would we set this up? 8. Include a name mapping for AD record to the Kerberos domain Format is oucs1234@OX.AC.UK Note capitalized OX.AC.UKSlide 31
How would we set this up?Slide 32
How would we set this up? 9. Reboot workstation and log inSlide 33
Contact subtle elements firstname.lastname@example.org email@example.comSlide 35
Some connections ITSS Wiki: https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust MIT: Designing an Authentication System: A Dialog in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html Microsoft: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx Kerberos: The Definitive Guide (Jason Garman/O\'Reilly) http://www.amazon.co.uk/Kerberos-Definitive-Guide-Jason-Garman/dp/0596004036/ref=sr_1_1/202-9173258-1666237?ie=UTF8&s=books&qid=1182273864&sr=8-1Slide 36
Appendix A — Utilities 2003 Resource Kit Utilities Kerbtray (GUI) Klist (summon line) Support Tools Utilities (from 2003 CD) Ksetup (order line) Ktpass (charge line)Slide 37
Kerbtray shows tickets Picture indicates TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UKSlide 38
Kerbtray Picture demonstrates tickets for administrations in Active Directory RealmSlide 39
Klist — as Kerbtray yet summon lineSlide 40
Support Tools Ksetup Set up domain data E.g. set KDCs for a given domain Ktpass Manipulating principalsSlide 41
MIT Kerberos for Windows http://web.mit.edu/kerberos/dist/Another method for survey tickets Maintains its own particular ticket store Can import tickets from Microsoft reserve Some applications can utilize these ticketsSlide 42
Network Identity ManagerSlide 43
Appendix B — Additional Notes Time must be inside 5 minutes of KDC time Logon may fall flat irregularly if logon permitted before system completely instated (XP/2003) Group Policy setting Computer Configuration/Administrative Templates/System/Logon Enable setting " Always sit tight for system on PC startup or client logon " Terminal Services Patch http://support.microsoft.com/default.aspx?scid=KB;EN-US;902336Slide 44
Short History of Time All DCs sync to PDC emulator (programmed) Member servers and workstations sync to Domain Controllers (programmed) PDC emulator must be sync\'d to ntp source Must redesign in the event that you move PDC emulator part w32tm/config/manualpeerlist: " ntpserver1 ntpserver2 ntpserver3 "/syncfromflags:manual/reliable:yes/overhaul http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true 45Slide 45
Automated Account Creation OUCS can give daily upgrade of Oxford usernames and other data to every unit http://www.oucs.ox.ac.uk/enlistment/card_data_2006.xml.ID=body.1_div.9 Use scripts to nourish into Active Directory 46Slide 46
AS 1: A, TGS 2: A, B TGS Client A Service B Full Kerberos Functionality KDC — 2 sections AS: Authentication Server TGS: Ticket Granting Server A B C S C S KDC B A 47Slide 47
Other notes of interest Workstation validates as well: issues for x-domain auth. DC devolution — KDC patches accessible Macs eDir preauth, timestamps, lifespan of tickets and so forth 48Slide 48
Appendix C Use Wireshark to watch the Kerberos trade
Dynamic Catalog and Related Application Separates This session will talk about particular Micros ...
The inquiry yields 426 outcomes from the 45th version of Encyclopedia of Associations National E ...
PC Systems Lab Project 2007-2008. Line Interpretation. Affixing gatherings of lines ... PC Syste ...
Area controller (Windows NT 4.0) 7. Toda la informaci n de la empresa est guardada en ... To mak ...
Street Signs. Yeild Sign. Enter Sign. Way out Sign. Try not to Enter Sign. Not an Exit Sign. Res ...
RDG Chapter 4. Roadside Appurtenances. Sign and Luminaire Supports ... Street Sign. Lower signs. ...
Email. Web facilitating (Internet/intranet) Database servers. Particular application servers ... ...
OUTSOURCING CONSEPT compliment to E-mail administrations ... Email customers can be designed to ...
Regular history positions close by causal comprehension in significance for the counteractive ac ...
We sign ourselves with the cross' indication prior and then afterward requests to God. ... in th ...
South height contiguous Holiday Inn Express. Group Development ... what's more, goal of the sign ...
In the Exchange Server 5.5 Administrator system, select a server that runs Exchange Server 5.5 a ...
Theaters and Cinemas - Oxford Playhouse, BurtonTaylor Studio, Phoenix Cinema and Ultimate Pictur ...
Active Directory. Disaster Recovery. Domain Controllers. No PDC, BDC All DCs are equal So ...
Point. Step by step instructions to connection Active Directory to the Oxford Kerberos Single si ...
Session Objectives And Takeaways. Portray Active Directory highlights in Windows Server 2008 R2D ...
Dynamic Directory Definitions. Promotion is Microsoft\'s combination of the significant venture ...
Employments of Active Directory. Login ScriptFolder RedirectionWindows Software Update Services ...