kerberos & edirectory integration - university of...
TRANSCRIPT
![Page 1: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/1.jpg)
Kerberos & eDirectory integration
Bridget Lewis
![Page 2: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/2.jpg)
Agenda
• Background• Aims• Technical Details• Demo• Caveats• Futures
![Page 3: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/3.jpg)
Agenda
• Background– Kerberos in OUCS
• WebAuth– Netware in OUCS
• Aims• Technical Considerations• Demo• Futures
![Page 4: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/4.jpg)
Kerberos in OUCS
kdc0.ox.ac.uk
kdc1.ox.ac.uk
OX.AC.UK
WebAuthRT request tracker
Room Booking System
OUCS Wiki
Portal
eDirectory (Netware )
Active Directory
LinuxApple MacsWindows
![Page 5: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/5.jpg)
Netware in OUCS
eDirectory (Netware )
RegistrationServer
User registration terminal
Help CentreAutomated
account creation
Oxford username
Generatedpassword
Oxford username
DesktopServices
OUCS StaffManual account
creation
Randompassword
DesktopServices &
scripts
CoursesSemi-automated account creation
![Page 6: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/6.jpg)
Agenda
• Background• Aims• Technical Details• Demo• Caveats• Futures
![Page 7: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/7.jpg)
Aims
• Allow users to authenticate to in-house services via Oxford username and Kerberos password
• Automatically provision eDirectory• Investigate options which may help ITSS in
departments and colleges
![Page 8: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/8.jpg)
Agenda• Background• Aims• Technical Details
– NMAS Kerberos Login Method– Installation and Configuration– How it works
• Demo• Caveats• Futures
![Page 9: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/9.jpg)
NMAS Kerberos Method?
• Novell Modular Authentication ServiceNovell Modular Authentication Service
– Methods for authenticating to eDir, e.g. Methods for authenticating to eDir, e.g. Smartcards, certificatesSmartcards, certificates
• Additional method from Novell, allowing authentication to eDir using Kerberos tickets
• Works with various Kerberos v5 KDCs• Requires NMAS Server v2.2.0 or above• Requires Windows 98SE, NT4, 2000 or XP• Requires Client 4.83 or above with NMAS
![Page 10: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/10.jpg)
Installation and Configuration
![Page 11: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/11.jpg)
Installation and Configuration
![Page 12: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/12.jpg)
Installation and Configuration
![Page 13: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/13.jpg)
Installation and Configuration
![Page 14: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/14.jpg)
Installation and Configuration
![Page 15: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/15.jpg)
How it Works
• User provides username and context information • NMAS client queries eDirectory for Kerberos
principal name and realm• NMAS client authenticates using KDC acquiring
TGT and eDir service ticket• NMAS client presents service ticket to eDir• NMAS server grants access to eDir services
![Page 16: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/16.jpg)
Extras
• Novl2mit utility will populate MIT Kerberos client credential cache
• Unlocking a locked workstation obtains new a TGT and service ticket from the KDC
![Page 17: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/17.jpg)
Agenda
• Background• Aims• Technical Details• Demo• Caveats• Futures
![Page 18: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/18.jpg)
Demo
![Page 19: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/19.jpg)
Agenda
• Background• Aims• Technical Details• Demo• Caveats• Futures
![Page 20: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/20.jpg)
Caveats• Only possible for services that use Client 32• Have not investigated authenticating to eDir and
AD on the same workstation• Tickets obtained are not renewable by default
![Page 21: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/21.jpg)
Agenda
• Background• Aims• Technical Details• Demo• Caveats• Futures
– OUCS– Elsewhere
![Page 22: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/22.jpg)
Kerberos in the Help Centre
EDirectory (Netware )
RegistrationServer
User registration terminal
Help CentreAutomated
account creation
“Oxford” username
Generatedpassword
![Page 23: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/23.jpg)
Kerberos in the Help Centre
EDirectory (Netware )
Servicerequest
Windows
kdc0.ox.ac.uk
kdc1.ox.ac.uk
OX.AC.UK
Obtain TGT
Obtain Service tickets
RegistrationServer
User registration terminal
Oxford username
Kerberos principal
![Page 24: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/24.jpg)
Kerberos in Departments and Colleges
• Depends on individual circumstances• Compromises may be required (Client32 limitation)
– Either by providing more limited services,– Or by users maintaining two or more
username/password combinations
![Page 25: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/25.jpg)
Questions?
![Page 26: Kerberos & eDirectory integration - University of Oxfordusers.ox.ac.uk/~bridget/novell/Kerberos-4-2-05.pdf · 2005-02-04 · • Novell Modular Authentication Service –Methods for](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0680107e708231d4184cc4/html5/thumbnails/26.jpg)
References• Download from Novell (search for Kerberos)
– http://download.novell.com/• Novell Documentation
– http://www.novell.com/documentation/nmaslm/treetitl.html• OUCS Resources
– http://www.oucs.ox.ac.uk/webauth/– http://users.ox.ac.uk/~pod/talks/itssc-webauth-krb5-2004-06-24/– http://users.ox.ac.uk/~raym/talks/tssso.2004-01-26/
• General Kerberos Guides– http://www.isi.edu/~brian/security/kerberos.html– http://web.mit.edu/kerberos/www/
• University of Michigan– http://www.umich.edu/~lannos/novell/kerberos.html