Environment
Microsoft Windows 2000 SP4
Microsoft Windows Server 2003
Situation
In a Kerberos realm administered by a Windows 2000 SP4 or Windows Server 2003 KDC (key distribution center), the Reflection Kerberos Client can be configured to use Windows login credentials. This feature makes it so users are not prompted to re-enter their passwords when accessing Telnet or FTP servers within the realm.
Configuring the Reflection Kerberos Client to use this feature requires modification of certain settings in the Reflection Kerberos Client, the Kerberos Manager's Realm, and the Windows Active Directory. This technical note describes how to make these modifications.
Resolution
Note: Consider the following points before deciding to enable this feature.
- To enable this functionality, you must manually edit each Windows account (user or computer). Some of the settings can only be configured per account, not by group or profile.
- Before making changes to your security implementation, it is important to verify that these configuration changes do not violate your company's existing network security policies.
Changes to Reflection Kerberos Client
Follow the steps below to configure the Reflection Kerberos Client.
- Start the Kerberos Manager and log in to your realm.
- Click Configuration, and then click Configure Realms.
- Select your realm from the Realm list, and then click Properties.
- Enable Use Windows logon credentials.
- Click the Realms Defaults tab.
- In the Pre-Authentication drop-down box, select Encrypted timestamp.
Note: If "Do not require Kerberos preauthentication" is enabled in the Active Directory Account options, set Pre-Authentication to None. For further details, see Configure Accounts to Use DES Encryption.
- Click Configure Encryption Type.
DES_CBC_MD5 must appear at the top of the Requested KDC encryption types list. If it is not, use the Up button to move DES_CBC_MD5 to the top of the list.
- Exit the Reflection Kerberos Manager.
Reflection Kerberos Manager settings can be saved to a realm configuration export file (Rsckrb5.xml), which can then be deployed and automatically loaded on user systems.
Changes to the Windows Active Directory
For Kerberos to work in this manner, you must make changes in the Windows Active Directory. You must configure the accounts to use DES encryption and configure the application server keys for any non-Windows systems.
Configure Accounts to Use DES Encryption
To configure user accounts to use DES encryption, you need to perform the following steps on a user account. These steps can be performed by modifying group or system-wide policies.
- Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
- Select an account (user, computer), group, or policy, right-click, and then click Properties.
- Click the Account tab.
- In the Account options scroll box, enable Use DES encryption types for this account.
Note: If you do not want to require pre-authentication before issuing a TGT (ticket granting ticket), you will also need to enable "Do not require Kerberos preauthentication" for each user. However, enabling this setting decreases the security of your Kerberos configuration.
Configure Application Server Keys in Active Directory Users and Computers
This section discusses configuration changes that must be made to each of your kerberized application server hosts. For more information, see Microsoft's "Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability" at http://technet.microsoft.com/en-us/library/bb742433.aspx.
You will need to make each of the following changes.
- In the Windows Active Directory structure, add the host server principles as users. You may also need to add ftp service principles. Configure these server principles for DES encryption.
For details, see Configure Accounts to Use DES Encryption (above).
- Map the host server principles to the UNIX required service principal names.
For details, see Map Windows and UNIX Service Principal Names (below).
- Extract the host service key tables (keytab files).
For details, see the Microsoft "Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability".
- Securely propagate these keytab files to the appropriate hosts.
For details, see the Microsoft "Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability".
Map Windows and UNIX Service Principal Names
Follow the steps below to map Windows accounts to the UNIX required service principal names.
Note: This setting can only be configured per account, not by group or policy.
- Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
- Select a host account, right-click, and then click Name Mappings.
- Click the Kerberos Names tab.
- Click Add.
- Add the Kerberos principal name using the Kerberos-style, case sensitive, name format [host/computer.domain.com] or [ftp/computer.domain.com], and then click OK.
For example, for host bluebell the service principal name would be as follows: bluebell.mycompany.com
Given a Windows domain named W2K, the Kerberos host principal construct would be as follows: host/bluebell.mycompany.com@W2K.MYCOMPANY.COM.
- Click OK.
Additional Information
Additional information about Microsoft's implementation of the Kerberos protocol can be found on the Microsoft web site. Search the Microsoft TechNet site, http://search.technet.microsoft.com/, for Windows Kerberos Authentication or Windows Kerberos Interoperability for detailed information.