citrix authentication with MIT KDC ?

Lara Adianto m1r4cle_26 at yahoo.com
Tue Aug 24 22:01:42 EDT 2004 

Hello,

	Has anyone ever tried testing citrix metaframe xp presentation server 3.0 authentication to MIT KDC ? What I mean is the pass through authentication which actually depends on Windows Kerberos. Is it possible for user to use his/her external realm credential instead of his/her credential in AD ? I don't want to store users credentials in AD.
 
We have done windows machine authentication using MIT KDC, and would like to do so with citrix...if it's possible 
 
Thanks,

	lara


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------
		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!!From greg at server1.hurderos.com Tue Aug 24 22:06:11 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
	[18.7.21.83])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i7P26Al1016289
	for <kerberos at PCH.mit.edu>; Tue, 24 Aug 2004 22:06:10 -0400 (EDT)
Received: from server1.hurderos.com ([216.239.30.246])i7P25T6F002306;
	Tue, 24 Aug 2004 22:05:31 -0400 (EDT)
Received: from server1.hurderos.com (localhost [127.0.0.1])
	i7P25Sju003318;	Tue, 24 Aug 2004 21:05:28 -0500
Received: (from greg at localhost)
	by server1.hurderos.com (8.12.11/8.12.11/Submit) id i7P25RZD003317;
	Tue, 24 Aug 2004 21:05:27 -0500
Message-Id: <200408250205.i7P25RZD003317 at server1.hurderos.com>
From: g.w at hurderos.org
Date: Tue, 24 Aug 2004 21:05:27 -0500
In-Reply-To: Sam Hartman <hartmans at MIT.EDU>
       "Re: UI for Kerberos accounts administration" (Aug 23,  8:01am)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Sam Hartman <hartmans at MIT.EDU>, Lukas Kubin <kubin at opf.slu.cz>
cc: kerberos at mit.edu
Subject: Re: UI for Kerberos accounts administration
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: g.w at hurderos.org
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Wed, 25 Aug 2004 02:06:13 -0000

On Aug 23,  8:01am, Sam Hartman wrote:
} Subject: Re: UI for Kerberos accounts administration

Good evening to everyone, hope that the week is going well for everyone.

> >>>>> "Lukas" == Lukas Kubin <kubin at opf.slu.cz> writes:
> 
>     Lukas> Do the K5 enabled sites administer accounts this way?
> 
> Many do.
> 
> Sites like MIT and CMU have administration servers that accept
> requests for account creation, update, etc from support staff and
> proxy them to the administration services.
> 
> These systems tend to be database backed, very complicated , fairly
> custom, and under documented.  Some of them are semi-public in that
> the sources are available and the license is reasonable.  If you
> managed to find the sources and get it all working you could use it.  
> 
> You might take a look at http://www.hurderos.org/ I think that their
> focus is somewhat different but that they may end up solving some of
> the same usability problems you're looking at.

Hurderos actually traces its roots back to one of those database
backed, very complicated, very custom and severely under-documented
systems.... :-) A lot of the thought and design that has gone into it
was motivated by what it would take to provide a generically useful
tool for managing a merged LDAP/Kerberos infra-structure.

In a larger sense Hurderos is about the notion that everything in
information delivery starts with and derives from the notion of
creating secure intrinsic identities.  The concept of services being a
natural outgrowth of this design predicate means that things like
provisioning Kerberos accounts falls out in sort of a natural fashion.

Lukas if you are interested in a more graphical approach to managing
Kerberos accounts I would grab the current sources and consider
building on top of that.  There is a lot of fairly basic
infra-structure that you would find useful.  Most notably a reasonably
functional GUI that uses GSSAPI to create a secured context for
administrative access.

Just a quick final comment about handling credentials to authenticate
to kadmind for managing the database.  The dirty little secret about
this whole business is that there is always a dirty little secret.
Since the Trusted Computing Base for an enterprise is dependent on
this particular dirty little secret means that managing it securely is
an important isssue.

The code drop after the one coming out in the next day or so should
have support for encrypted keytabs in ISME (the administrative
application).  The initial model will involve entering the decryption
key into ISME when it starts.  This will allow ISME to decrypt the
keytab and obtain short-lived credentials which are passed on to the
Service Provisioning Layer to authenticate the administrative
transaction with the KDC.

This should help minimize the threat of a compromised application
server leading to a compromise of the authentication database.  Unlike
the KDC, ISME doesn't need to be running 24x7 in order to keep a shop
on the air.  That lessens the need for something like a key-stash file
which essentially minimizes the utility of having an encrypted
authentication database.

We have a file transfer primitive built into the ISME-XML protocol.
Down the road the vision is to support public-key based encryption of
the administrative keytabs.  This would allow an organization to
impose a two-factor authentication requirement for certain security
sensitive operations such as changing or modifying authentication
identities.

> --Sam

Best wishes for a productive week to everyone.

}-- End of excerpt from Sam Hartman

As always,
GW
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list