SEC400UNIX & Kerberos Interop to Achieve Identity Management

David MowersProgram ManagerMicrosoft Security Solutions

AgendaIdentity and Access Management (I&AM) Issues

How Kerberos interop solves an identity management problem

Interop standards and technologies

Scenario & Demos*NX/AD Kerberos Sign-on

*NX/AD Kerberos SSO

Authentication vs Authorization

Secure SSO and Authorization

Snapshot of I&AM IssuesBDM

Complex identity infrastructure costs moneyComplex identity infrastructure is hard to extend to new business processesYou invested in AD, what next?

IT ProHow to centralize management of security principals?How to apply AD security policy to NX accounts?

DeveloperToo many authentication mechanisms to choose fromHow to protect application data?Leverage centralized authorization store

UserMultiple User accountsEntering credentials multiple times

How Kerberos 5 Interop Helps to Solve I&AM Issues

IT ProAll users are managed in Active Directory

AD has strong user policy enforcement

User passwords safe in AD

DeveloperKerberos 5 available on most enterprise platforms

Secure authentication

Protect application data

AD is single source of authorization data

User ExperienceAuthentication based on one user account in AD

Transparent authentication to applications (SSO)

Kerberos

LinuxWindows

GINA(login)

Kerberos(MIT de-facto)

Credential (ticket)cache

DefaultCredential (ticket) cache

GSSAPISSPI

ApplicationApplication

•RFC 1510•AS - Authentication Service•TGS - Ticket Granting Service

•MIT de-facto•CPW - Change password service

Serviceprincipalkey table

DefaultService principalkey table

LSA

kinit klistkdestroykpasswd (M

IT d

e-f

act

o)

Login

pam_krb5

KRB

Kerberos configuration the hard way

Step 1: Create UNIX user accounts in Active DirectoryStep 2: Create UNIX workstation accounts in Active DirectoryStep 3: Create Keytab files for the UNIX workstationsStep 4: Install the keytab file on the UNIX WorkstationStep 5: Configure the pam.conf fileStep 6: Configure the krb5.conf file

Creating the keytab file

ktpass -princ host/Solaris_Workstation_Name.na.corp.contoso.com@NA.CORP.CONTOSO.COM -mapuser Solaris_Workstation_Name -pass password -out Solaris_Workstation_Name.keytab

It worked…

Targeting domain controller: GRNCDC01.na.corp.contoso.comSuccessfully mapped host/

Solaris_Workstation_Name.na.corp.contoso.com to Solaris_Workstation_Name.

Key created.Output keytab to Solaris_Workstation_Name.keytab:Keytab version: 0x502keysize 79 host/

Solaris_Workstation_Name.na.corp.contoso.com@NA.CORP.CONTOSO.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0e9bd5da314f5bad)

Account Solaris_Workstation_Name has been set for DES-only encryption.

Using the keytab file

Securely transfer keytab file from DC to client

Use ktutil to import the file

At the ktutil: prompt, type rkt Solaris_Workstation_Name.keytab

At the ktutil: prompt, type wkt /etc/krb5/krb5.keytab

Configure pam.conf# Contoso's Kerberos Setup## Authentication#other auth sufficient pam_krb5.so.1other auth sufficient pam_unix.so.1 use_first_pass## Password#other password optional pam_krb5.so.1 try_first_passother password required pam_unix.so.1## Account #other account optional pam_krb5.so.1## session#other session optional pam_krb5.so.1

Configure krb5.conf[libdefaults] default_realm = NA.CORP.CONTOSO.COM default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5[realms] NA.CORP.CONTOSO.COM = { kdc = grncdc01.na.corp.contoso.com admin_server = grncdc01.na.corp.contoso.com kpasswd_protocol = SET_CHANGE kpasswd_server = grncdc01.na.corp.contoso.com }[domain_realm] .na.corp.contoso.com = NA.CORP.CONTOSO.COM na.corp.contoso.com = NA.CORP.CONTOSO.COM...

Success!

Now that the *NX workstation is configured, user can logon with AD account and get Kerb ticketsUse klist to see TGTTGT used to authenticate to appsWhat’s missing?

AuthZ info, profile still stored locallyUse nss_ldap to obtain account authorization and profile information from ADNeed SFU or similar schema extensionDelete /etc/passwdWhat? No PAC?

LinuxWindows

LDAP

ADSIActive Directory

Services Interface

LDAP

LDAPAPI

• OpenLDAP• iPlanet• ...

LDAP (V3)- RFC 2251LDAP API- RFC 1831LDAP search- RFC 2254

login

pam

Application

LDAPAPI

Application

Account Profile• UID• GID• Home directory• Groups• …

nss_ldap

Account Profile• Groups• Tel #• Office #• …

Vintela Authentication Services

UNIX/Linux security systems integrated into Active Directory users

No synchronization between systems, all credentials reside within Active Directory

Authentication and authorization through Kerberos

UNIX Identity management using RFC 2307 schema

Single login and password for mixed Windows, UNIX and Linux applications and resources

All LDAP communication secured through Kerberos – no SSL overhead

Single point of account management through Active Directory – Microsoft Management Console

Immediate ROI to IT departments

Vintela – Joining Vintela – Joining Linux machine to AD Linux machine to AD domaindomain

demodemo

Joining a Linux machine to the AD Domain # /opt/vas/bin/vastool -p myadmin join

teched.com techeddc.teched.com

Now that’s easy!

Vintela – Create Vintela – Create “Unix enabled” user“Unix enabled” user

demodemo

Creating a “Unix enabled” user

Checkbox extension to MMC User & Computers snap-in

Applies Vintela schema to AD for Unix-style authorization & profile information

Vintela – Domain Vintela – Domain loginlogin

demodemo

Domain login

Windows UPN-style login

Deactivate account in AD, no login!

Everything about the user lives in AD

LinuxWindows

SSPI and GSSAPI

SSPILSACAPI

Security Service Provider Interface Generic Security Service-Application Programming Interface

API

Mech

GSSAPI(“V2” RFC 2743)

Kerberos (MIT de-facto)

KerberosRFC 1510

RFC 1964GSSKerberos“Kerberos”

“NTLM”

ClientApp

ServerTokenToken

TokenToken TokenToken

RFC 2478 GSSSPNEGO“Negotiate”

Vintela – Web logon Vintela – Web logon with SPNEGOwith SPNEGO

demodemo

SPNEGO web logon

Vintela adds SPNEGO capability to Apache

SSO from Windows & *NX clients

Vintela also requests Windows PAC from Windows KDC

Mozilla SPNEGO (TBD) plug-in will give SSO to IIS web server using Kerberos

Because the PAC is there - result is Windows Integrated security context

Demo you will not see

Mozilla->IISNeed Mozilla SPNEGO plug-in

Available later this year from multiple vendors

Vintela *does* provide Windows PAC

ConclusionInteroperability

Kerberos 5 for authentication

LDAP for authorization

BenefitsSingle point of administration

Fewer accounts to manage

User account policy enforcement

Protect user passwords

Protect application data

Single point of authorization

Improve end-user experience (fewer ID/PW’s)

Identity Management Virtual Track

For the IT ProSEC400: UNIX & Kerberos Interop to Achieve Identity MgmtDEP311: Identity Management with Microsoft Metadirectory Services  WIN310: AD Branch Office with Windows Server 2003ADM313: Managing Active Directory with MOMADM314: Delegating Administrative Tasks in Active Directory

For the DeveloperSEC320/402: Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1& 2) OFC333: EAI Using SharePoint Portal ServerWEB311: Windows Platform Security Services for Web Services

Ask The ExpertsGet Your Questions Answered

I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue:

2 July – 13:00-15:00

4 July – 10:00-12:00

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

VAS enables end users to utilize a single login account and password for access to critical systems and applications found in mixed Windows, UNIX® and Linux® environments. The time IT managers spend creating, modifying and removing user accounts are now reduced to a single action. Companies running Microsoft® Active Directory® can benefit from enhanced security and reduced management by extending these benefits to their business-critical UNIX and Linux applications.

VAS addresses the problem of identity management in a fundamentally different way then anyone else in the market today. VAS integrates user accounts in Active Directory to authenticate to UNIX and Linux systems and applications in the same way as a Windows® XP system would communicate. The integration allows UNIX and Linux security to validate users credentials found in Active Directory. VAS is not synchronization. The authentication is transported over LDAP and made secure through Kerberos. Exactly the same way as Active Directory and XP communicate. The installation is simple and the benefits are immediately recognized.

A Division of Center7, Inc.

Dave Wilson

President Vintela Division

801.655.2612

dwilson@center7.com

www.vintela.com

sales@center7.com

Control through Integration

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.