Kerberos Implementation in a distributed Windows environment

sanford.sham@accenture.com sanford.sham at accenture.com
Fri Oct 10 16:12:26 EDT 2003


That's correct, and is one of the propsed solution. However, that would
make the system not very scalable, and also makes it harder to maintain. I
was just wondering whether what people thinks about this...is there anthoer
way?

Thanks

Regards
Sanford
_______________________________

Sanford Sham
Accenture
Melbourne - 360 Elizabeth Street
Direct dial: +61 3 9838 8429
VPN & Octel: 286/8429
Fax: +61 3 9838 7100
email: sanford.sham at accenture.com



                                                                                                                                        
              Tim Alsop                                                                                                                 
              <Tim.Alsop at CyberSafe.Ltd.         To:      Sanford Sham/Internal/Accenture at Accenture, kerberos at mit.edu                    
              UK>                               cc:                                                                                     
                                                Subject: RE: Kerberos Implementation in a distributed Windows environment               
              10/10/2003 03:55 PM                                                                                                       
                                                                                                                                        
                                                                                                                                        



Sanford,


Is it possible for you to use a unique Kerberos principal for each service
on the EAI boxes ? This would avoid replay attack detection issues.


Thanks, Tim.


-----Original Message-----
From: sanford.sham at accenture.com [mailto:sanford.sham at accenture.com]
Sent: 08 October 2003 00:52
To: kerberos at mit.edu
Subject: Re: Kerberos Implementation in a distributed Windows environment


Hi


I'm just writing to ask a question, currently related to my project.


We are trying to implement Kerberos security in our distributed Windows
environment. We have, more than one, dedicated Windows 2k boxes (let's
called them EAI boxes) that are used to communicate with WebSphere servers,
using Kerberos tickets etc.


We have more than one EAI boxes that's online at any given time. All the NT
services are hosted under the same Windows domain account. Bascially, it's
as if the same domain account is used to host multiple services, on
multiple machines.


The problem comes when simultaneous transactions are conducted. Let's say
all EAI boxes fires a transactions to the same Websphere services at the
same time. Since it's hosted by the same domain account, the user that is
seen on the kerberos ticket is the same. Also, since it is fired at the
same time, the timestamp is the same (or very close). Therefore, after
receiving the first transactions, Websphere rejects all subsequent
transactions on the basis of duplicate Kerberos tickets being sent (or
replay).


Microsoft says that there is nothing they can do to fix this. They argue
that the standard specifies that only [Client Id, Timestamp] is used in the
authenticator, and they would not modify this to make the authenticator
more unique.


Can you provide a view on this? Thanks very much for you help.


Regards
Sanford





This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete the
original.  Any other use of the email by you is prohibited.


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos








This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete the
original.  Any other use of the email by you is prohibited.



More information about the Kerberos mailing list