Windows 2000 Kerberos Windows 2000 Kerberos Interoperability Interoperability

Paul HillPaul HillCo-Leader, Kerberos Development TeamCo-Leader, Kerberos Development TeamMIT MIT

John BrezakJohn BrezakProgram ManagerProgram ManagerWindows 2000 SecurityWindows 2000 SecurityMicrosoft CorporationMicrosoft Corporation

Windows 2000 Kerberos Windows 2000 Kerberos InteroperabilityInteroperability HistoryHistory Windows 2000 implementationWindows 2000 implementation Interoperability scenariosInteroperability scenarios

Some HistorySome History

Kerberos developed at MIT as part of Kerberos developed at MIT as part of Project AthenaProject Athena

Funded by Digital and IBMFunded by Digital and IBM Freely available source that allows Freely available source that allows

derivative commercial workderivative commercial work Change control given to IETFChange control given to IETF Based on research by Schroeder Based on research by Schroeder

and Needhamand Needham Needham now a Microsoft Needham now a Microsoft

Research employeeResearch employee

MIT’s GoalsMIT’s Goals

Provide a solution that nobody else Provide a solution that nobody else was addressing at the timewas addressing at the time

Convince others that security Convince others that security is importantis important

Get vendors to adopt Kerberos so that Get vendors to adopt Kerberos so that we could purchase secure systemswe could purchase secure systems

Have we succeeded beyond Have we succeeded beyond our expectations?our expectations?

Commercial SupportCommercial Support

Many vendors have come and goneMany vendors have come and gone GZA / Open Vision / VeritasGZA / Open Vision / Veritas CygnusCygnus

SunSun IBMIBM SGISGI OSF DCEOSF DCE CyberSafeCyberSafe MicrosoftMicrosoft

IntegrationIntegration

Operating Systems have shipped Operating Systems have shipped with Kerberos but not used it as the with Kerberos but not used it as the default authentication mechanismdefault authentication mechanism

OS Vendors shipping Kerberos OS Vendors shipping Kerberos have not provided applications or have not provided applications or services that are integrated with itservices that are integrated with it

Microsoft is changing thisMicrosoft is changing this Default authenticationDefault authentication Application supportApplication support Using it to secure other Using it to secure other

infrastructureinfrastructure

What Is KerberosWhat Is Kerberos Kerberos IV currently deployed in many Kerberos IV currently deployed in many

Universities (many Kerberized applications Universities (many Kerberized applications for Unix)for Unix)

Kerberos IV used in the Andrew File Kerberos IV used in the Andrew File System (AFS)System (AFS)

Kerberos IV had design flaws leading to Kerberos IV had design flaws leading to Kerberos version 5Kerberos version 5

Kerberos v5 is a standard (RFC-1510)Kerberos v5 is a standard (RFC-1510) Kerberos IV and Kerberos 5 do Kerberos IV and Kerberos 5 do

not interoperate!not interoperate! Bones and eBones (Kerberos IV)Bones and eBones (Kerberos IV) Win2000 implements Kerberos v5Win2000 implements Kerberos v5

Windows 2000 KerberosWindows 2000 Kerberos

Every Domain Controller is a KDCEvery Domain Controller is a KDC Active Directory is the administrative Active Directory is the administrative

interface via LDAPinterface via LDAP Programmers interface is SSPI (similar Programmers interface is SSPI (similar

to GSSAPI); no krb5 APIsto GSSAPI); no krb5 APIs DNS Domain and Kerberos realm DNS Domain and Kerberos realm

names are identical (except names are identical (except case sensitivity)case sensitivity)

Also provides authorization Also provides authorization service for Windows NT service for Windows NT security modelsecurity model

Windows 2000 Kerberos Windows 2000 Kerberos ImplementationImplementation Locates KDC via DNSLocates KDC via DNS DES-CBC-CRC and DES-CBC-MD5 enctypes DES-CBC-CRC and DES-CBC-MD5 enctypes

for interoperability (56bit keys)for interoperability (56bit keys) RC4-HMAC preferred enctype (56/128 bit keys)RC4-HMAC preferred enctype (56/128 bit keys) Does not support MD4 checksum typeDoes not support MD4 checksum type No support for DCE style cross-realm trustNo support for DCE style cross-realm trust Postdated tickets (not implemented)Postdated tickets (not implemented) Structured service naming conventionsStructured service naming conventions PKINITPKINIT

Windows 2000 Windows 2000 Kerberos StandardsKerberos Standards RFC-1510 (+ parts of Kerberos-revisions I-D)RFC-1510 (+ parts of Kerberos-revisions I-D) Kerberos change password protocol draft-Kerberos change password protocol draft-

ietf-cat-kerb-chg-password-02.txtietf-cat-kerb-chg-password-02.txt Kerberos set password protocolKerberos set password protocol

draft-ietf-cat-kerberos-set-passwd-00.txtdraft-ietf-cat-kerberos-set-passwd-00.txt RC4-HMAC Kerberos Encryption typeRC4-HMAC Kerberos Encryption type

draft-brezak-win2k-krb-rc4-hmac-00.txtdraft-brezak-win2k-krb-rc4-hmac-00.txt PKINITPKINIT

draft-ietf-cat-kerberos-pk-init-09.txtdraft-ietf-cat-kerberos-pk-init-09.txt

Kerberos Authorization DataKerberos Authorization Data

Kerberos protocol supports Kerberos protocol supports authorization data in ticketsauthorization data in tickets Examples: DCE and Sesame architecturesExamples: DCE and Sesame architectures

Revision to RFC 1510Revision to RFC 1510 Clarifications on client, KDC supplied dataClarifications on client, KDC supplied data Submitted by Ted Ts’o, Clifford NeumanSubmitted by Ted Ts’o, Clifford Neuman

Interoperability issues are minimumInteroperability issues are minimum Windows 2000 auth data ignored by Windows 2000 auth data ignored by

UNIX implementationsUNIX implementations

Authorization DataAuthorization Data

What is the client allowed to do?What is the client allowed to do? Based on Windows 2000 Based on Windows 2000

group membershipgroup membership Identified by Security Ids (SIDs) in NT Identified by Security Ids (SIDs) in NT

security architecturesecurity architecture Windows 2000 KDC supplies auth data Windows 2000 KDC supplies auth data

in ticketsin tickets At interactive logon (AS exchange) At interactive logon (AS exchange)

User SID, global, universal group SIDsUser SID, global, universal group SIDs At session ticket request (TGS exchange)At session ticket request (TGS exchange)

Domain local group SIDsDomain local group SIDs

Negotiate PackageNegotiate Package

Special SSP to select an Special SSP to select an authentication packageauthentication package

Windows 2000 logo requirementWindows 2000 logo requirement Implementation of SPNEGO (RFC-2478)Implementation of SPNEGO (RFC-2478) Tries up-level SSPs (Kerberos)Tries up-level SSPs (Kerberos) Falls back to down-level SSPs (NTLM)Falls back to down-level SSPs (NTLM) Selection of up-level SSP based on SPNSelection of up-level SSP based on SPN

Kerberos Interoperability Kerberos Interoperability ScenariosScenarios Windows 2000 domain without a Windows 2000 domain without a

Microsoft KDCMicrosoft KDC Kerberos clients in a Win2000 domainKerberos clients in a Win2000 domain Kerberos servers in a Win2000 domainKerberos servers in a Win2000 domain Standalone Win2000 systems in a Standalone Win2000 systems in a

Kerberos realmKerberos realm Using a Kerberos realm as a Using a Kerberos realm as a

resource domainresource domain Using a Kerberos realm as an Using a Kerberos realm as an

account domainaccount domain

Windows 2000 Domain Windows 2000 Domain Without A Microsoft KDCWithout A Microsoft KDC Not a supported scenarioNot a supported scenario Windows 2000 domain security model Windows 2000 domain security model

depends on authorizationdepends on authorization Microsoft KDC is tightly integrated with Microsoft KDC is tightly integrated with

Active DirectoryActive Directory Support for down-level services (NTLM)Support for down-level services (NTLM)

Standalone Windows 2000 Standalone Windows 2000 ComputersComputers A dorm student has a Win2000 computer that they want A dorm student has a Win2000 computer that they want

to use with the University’s Kerberos realmto use with the University’s Kerberos realm

Configure system as Configure system as standalone (no domain)standalone (no domain)

Use Ksetup to Use Ksetup to configure the realmconfigure the realm

Use Ksetup to Use Ksetup to establish the local establish the local account mappingaccount mapping

Logon to Logon to Kerberos realmKerberos realmWindows Windows

20002000

LinuxLinux

MIT.REALM.COMMIT.REALM.COM

Using Kerberos serversUsing Kerberos servers

Customer wants to use their Kerberos enabled Customer wants to use their Kerberos enabled database server in an n-tier application front-database server in an n-tier application front-ended by IISended by IIS

/etc/krb5.conf on /etc/krb5.conf on database serverdatabase server

Create service Create service account in domainaccount in domain

Use ktpass to Use ktpass to export a keytabexport a keytab

Copy keytab to Copy keytab to database serverdatabase server

IIS server is trusted IIS server is trusted for delegationfor delegation

nt.company.comnt.company.com

Windows Windows 2000 IIS 2000 IIS ServerServer

Unix Unix Database Database

ServerServer

Windows Windows 2000 Wks2000 Wks

Using Unix KDCs WithUsing Unix KDCs WithWindows 2000 AuthorizationWindows 2000 Authorization

Win2000 ProfessionalWin2000 Professional Windows 2000 ServerWindows 2000 Server

COMPANY.REALMCOMPANY.REALM nt.company.comnt.company.com

MITMITKDCKDC

Windows Windows 20002000KDCKDC

11TGTTGT

22TGTTGT

Name Name Mapping to Mapping to NT accountNT account

33TICKETTICKET

44TICKETTICKET

With NT With NT Auth DataAuth Data

Kerberos Realm As A Kerberos Realm As A Resource DomainResource Domain Realm contains service principals for Unix Realm contains service principals for Unix

based servicesbased services Service does name based authorizationService does name based authorization

Unix serverUnix server Win2000 Win2000 UserUser

MIT.REALM.COMMIT.REALM.COM win2k.domain.comwin2k.domain.com

Realm trusts Realm trusts domain domain usersusers

Kerberos Realm As An Kerberos Realm As An Account DomainAccount Domain User logon with Kerberos principalUser logon with Kerberos principal User has shadow account in an account domain User has shadow account in an account domain

(for applying authz)(for applying authz) Mapping is used at logon for domain identityMapping is used at logon for domain identity

User@MIT.REALM.COMUser@MIT.REALM.COM

MIT.REALM.COMMIT.REALM.COM win2k.domain.comwin2k.domain.com

Domain trusts Domain trusts realm usersrealm users

comp$@win2k.domain.comcomp$@win2k.domain.com

user@win2k.domain.com user@win2k.domain.com (user@MIT.REALM.COM)(user@MIT.REALM.COM)

Using A Kerberos Realm As Using A Kerberos Realm As An Account DomainAn Account Domain Requires shadow accounts in domainRequires shadow accounts in domain Requires synchronized passwords so Requires synchronized passwords so

that NTLM can workthat NTLM can work Have a sample that shows account Have a sample that shows account

sync with MIT Kerberos realmsync with MIT Kerberos realm CyberSafe is adding this capability with CyberSafe is adding this capability with

password sync to TrustBrokerpassword sync to TrustBroker

Microsoft And The Microsoft And The IETF CAT WGIETF CAT WGSignificant contributions in the standardsSignificant contributions in the standards Generating KDC Referrals to locate Kerberos realmsGenerating KDC Referrals to locate Kerberos realms

draft-swift-win2k-krb-referrals-00.txtdraft-swift-win2k-krb-referrals-00.txt The Windows 2000 RC4-HMAC Kerberos encryption typeThe Windows 2000 RC4-HMAC Kerberos encryption type

draft-brezak-win2k-krb-rc4-hmac-01.txtdraft-brezak-win2k-krb-rc4-hmac-01.txt User to User Kerberos Authentication using GSS-APIUser to User Kerberos Authentication using GSS-API

draft-swift-win2k-krb-user2user-00.txtdraft-swift-win2k-krb-user2user-00.txt Extension to Kerberos V5 For Additional Initial EncryptionExtension to Kerberos V5 For Additional Initial Encryption

draft-ietf-cat-kerberos-extra-tgt-02.txtdraft-ietf-cat-kerberos-extra-tgt-02.txt Extending Change Password for Setting Kerberos PasswordsExtending Change Password for Setting Kerberos Passwords

draft-trostle-win2k-cat-kerberos-set-passwd-00.txtdraft-trostle-win2k-cat-kerberos-set-passwd-00.txt The Simple and Protected GSS-API Negotiation The Simple and Protected GSS-API Negotiation

Mechanism (RFC2478)Mechanism (RFC2478)

Kerberos InteroperabilityKerberos Interoperability

Windows 2000 Kerberos is Windows 2000 Kerberos is interoperable with other interoperable with other popular versionspopular versions

Interoperability is regularly testedInteroperability is regularly tested Customer driver interoperability Customer driver interoperability

scenariosscenarios Push and enrich the Kerberos Push and enrich the Kerberos

standardsstandards

For Additional InformationFor Additional Information

Web sites:Web sites: Windows 2000 Kerberos AuthenticationWindows 2000 Kerberos Authentication

www.microsoft.com/windows/server/Technical/security/www.microsoft.com/windows/server/Technical/security/kerberos.aspkerberos.asp

Windows 2000 Kerberos Interoperability WhitepaperWindows 2000 Kerberos Interoperability Whitepaperhttp://www.microsoft.com/windows2000/library/howitworks/http://www.microsoft.com/windows2000/library/howitworks/security/kerbint.aspsecurity/kerbint.asp

MIT Kerberos 5 Interoperability walk-throughMIT Kerberos 5 Interoperability walk-throughhttp://www.microsoft.com/windows2000/library/planning/http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.aspsecurity/kerbsteps.asp

Compaq White Paper “Windows 2000 Authentication: under Compaq White Paper “Windows 2000 Authentication: under the hood” www.compaq.com/activeanswers the hood” www.compaq.com/activeanswers (Windows 2000 section)(Windows 2000 section)

CyberSafe ActiveTrust – CyberSafe ActiveTrust – www.cybersafe.comwww.cybersafe.com Interop with Win2000 Active Directory and Kerberos ServicesInterop with Win2000 Active Directory and Kerberos Services

msdn.microsoft.com/library/techart/kerberossamp.htmmsdn.microsoft.com/library/techart/kerberossamp.htm