AD using an external Kerberos realm

Richard E. Silverman res at qoxp.net
Tue Feb 19 20:34:23 EST 2008


>>>>> "JE" == Jay Elvove <jay at umd.edu> writes:

    JE> Last month, a colleague of mine sent a message to the Windows
    JE> Higher Ed list asking about possible problems authenticating
    JE> certain Microsoft applications to an external KDC.  We're getting
    JE> ready to roll out our very first campus-wide Active Directory
    JE> environment, which will include Exchange 2007 and Microsoft
    JE> SharePoint Server (MOSS) 2007.  User accounts and other data will
    JE> be populated into AD using Microsoft Identify Lifecycle Manager
    JE> 2007.  The plan, which thus far has worked successfully in test,
    JE> is to store user passwords in our Heimdal KDC and force all
    JE> authentications to occur through the external KDC

Can you give more details about your setup?  I'm guessing that you have an
AD realm, a Heimdal realm, cross-realm trust at least of Heimdal by AD,
and that you have people choose the Heimdal realm when logging into
Windows.

    JE> Several key departments have voiced concerns over whether or not
    JE> web authentication to applications such as MOSS 2007, Outlook Web
    JE> Access (OWA) and Citrix will work using an external KDC.

If the setup is as above, you'll need to set the altSecurityIdentities
attribute on your AD accounts with the corresponding Kerberos principals
from your Heimdal realm, so that when AD receives a request for a service
ticket based on a TGT issued by Heimdal, it can return the appropriate PAC
in the ticket.  The Windows service to which you present the ticket needs
it.

    JE> We received a lot of good information from the Windows Higher Ed
    JE> list, but I thought it might be valuable to get feedback from the
    JE> folks who support external KDCs as well.  Are there any major
    JE> gotchas that those of us who support Kerberos or the Windows
    JE> community at large should be aware of?

There are plenty of other gotchas, unfortunately, although they may not
all apply to you.  A few that spring to mind:

* There are registry bits you need to set on Windows clients so that they
  will use an external realm, including features of the realm such as TCP
  support, trust for delegation, whether the client will use the DNS to
  locate KDCs, etc.  Some of these bits are not documented.

* Unix clients are responsible for determining the realm of a service
  host, and use static configuration or the DNS to do so.  Windows clients
  always assume a host is in the local AD realm, and rely on AD to return
  Kerberos referrals to redirect them.  On the other hand, these referrals
  must never be returned to Unix clients, which will not know how to
  handle them.  This issue applies if you're trying to access kerberized
  services in the Unix realm from Windows, e.g. an Apache server using
  mod_auth_kerb.

* Kerberos tickets including the PAC can get quite large, and some
  non-Windows services can't deal with them, either because they can't
  handle the size or they don't expect anything in the authorization field
  at all.  Cisco routers have problems with them, as does Apache /
  mod_auth_kerb (the latter problem can be fixed).  Some older Kerberos
  software can only do UDP, and so can't fall back on TCP to transfer 
  a big ticket which won't fit in a single UDP message.

    JE> Thanks,

    JE> Jay ----- Jay Elvove Distributed Computing Services University of
    JE> Maryland Office of Information Technology Computer & Space
    JE> Sciences Building Room 1301A College Park, MD 20742 jay at umd.edu

-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list