21 st june 2007 active directory and oxford single sign-on bridget lewis – ictst adrian parks –...
TRANSCRIPT
![Page 1: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/1.jpg)
21st June 2007
Active Directory and Oxford Single Sign-On
Bridget Lewis – ICTST
Adrian Parks – OUCS
1
![Page 2: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/2.jpg)
Aim
• How to link Active Directory to the Oxford Kerberos Single sign-on (SSO) infrastructure
![Page 3: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/3.jpg)
What is Kerberos?
• Authentication protocol– Not authorisation
• Client and server mutually authenticate
3
![Page 4: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/4.jpg)
Authentication vs Authorisation
Fred A. StairUndergradCornflake College
Guest List
Donald DuckFred SmithLucy JonesThe DoctorFred A. Stair
Authenticated Authorized 4
![Page 5: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/5.jpg)
Why Kerberos?
• Single sign-on
• Centralised authentication
• Strong encryption
• No passwords over the wire
5
![Page 6: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/6.jpg)
Kerberos in Oxford
• Herald• WebLearn• Apache/IIS webservers (via Webauth)
• eDirectory• Active Directory• Open Directory
6
![Page 7: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/7.jpg)
So how does it work…?
Simple, really…
7
![Page 8: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/8.jpg)
Like this…
8
![Page 9: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/9.jpg)
Trusted Third Party
Service B
1: A, B
Basic Kerberos Functionality
A
A
B
B
Client A
S S
9
![Page 10: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/10.jpg)
Essential Terminology
• Principal — user or service with credentials
• Ticket — issued for access to a service
• Key Distribution Centre (KDC) — issues tickets for principals in a realm
• Realm — set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK
• TGT (ticket-granting ticket) — confirms identity; used to obtain further tickets (Single Sign-on)
10
![Page 11: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/11.jpg)
Kerberos and Active Directory
• Kerberos 5 implemented in AD (with added…)– Every domain is a Kerberos Realm
– Every domain controller is a KDC
• Many services can use Kerberos– CIFS, LDAP, HTTP
• Kerberos is preferred over NTLM
• Trusts between Kerberos Realms11
![Page 12: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/12.jpg)
Integrating Active Directory with Oxford Kerberos Realm
• Configure Active Directory Kerberos realm to trust Oxford Kerberos realm for authentication
Client A
OX.AC.UKKDCs
OUCS.OX.AC.UKKDCs
Active Directory
1
2
3
4
Trust
12
![Page 13: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/13.jpg)
Integrating Active Directory with Oxford Kerberos Realm
• Authorization: AD uses SID, not username to determine what a user can do
– Usernames must exist in AD (Identity Management)
– Oxford usernames must be mapped to Active Directory users
[email protected] [email protected]
13
![Page 14: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/14.jpg)
So what does this mean in practice?
The “Good”...
• Use Oxford account to authenticate to AD
• No need to issue passwords to new students each year
• Devolve password problems to OUCS
14
![Page 15: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/15.jpg)
Case Study
• St Hugh’s College– ~ 20 Public Access PCs– ~ 600 Students, intake of ~120 per year– Passwords were issued manually each year
• Integrated with Oxford KDCs– Account creation simplified via VB script– Students use “Herald” password– Administrative overhead reduced for ITSS
15
![Page 16: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/16.jpg)
Case Study
• Language Centre– User base is whole university!– Potentially 40000 users– Historically, all used one shared account
• Webauth plus Oxford SSO solution– Users register for AD account via Webauth protected
site– AD account generated on the fly– Log in to AD via the Oxford SSO solution
• “Herald password”
16
![Page 17: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/17.jpg)
But…there are some caveats
The “Bad”...
• Access from PCs not in domain– Including via web, e.g. Outlook WebAccess
• Some students don’t know their Oxford password (approx 13%)
• Loss of external connectivity to central KDCs
17
![Page 18: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/18.jpg)
...and some problems
The “Ugly”...
• Fallback authentication is NTLM– KDCs don’t speak NTLM
– Some apps only speak NTLM
• Problems integrating other operating systems (OS X, other?)
18
![Page 19: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/19.jpg)
Summary
• Works very well in certain scenarios– E.g. shared filestore for students– Reduced administrative overhead
• Not appropriate for all environments– E.g. many services built on Active Directory
(Exchange, Sharepoint, Web access to files etc.)
19
![Page 20: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/20.jpg)
How do we set this up?
Full details are on the ITSS wiki:
https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust
20
![Page 21: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/21.jpg)
How do we set this up?
1. Check time is in sync (throughout domain and to ntp source)
See appendix for details!
21
![Page 22: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/22.jpg)
22
How do we set this up?
2. Request a Kerberos principal from the OUCS Systems Development team ([email protected])
krbtgt/FULL.AD.DOMAIN.NAME
krbtgt/STHUGHS.OX.AC.UKkrbtgt/ZOO.OX.AC.UK
![Page 23: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/23.jpg)
23
How do we set this up?
3. Change the password of the new principal (use linux.ox.ac.uk):
![Page 24: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/24.jpg)
How do we set this up?
4. Check time is in sync
25
![Page 25: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/25.jpg)
How do we set this up?
5. On all domain controllers, member servers and workstations, install the Windows Support Tools and run:
ksetup /addkdc OX.AC.UK kdc0.ox.ac.ukksetup /addkdc OX.AC.UK kdc1.ox.ac.ukksetup /addkdc OX.AC.UK kdc2.ox.ac.uk
Or use a registry file/Group Policy (see wiki) 26
![Page 26: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/26.jpg)
27
How do we set this up?
![Page 27: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/27.jpg)
How do we set this up?
6. Create a one-way, outgoing, transitive trust between the Kerberos realm OX.AC.UK and the Active Directory forest
Use the password set in step 3.
28
![Page 28: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/28.jpg)
How do we set this up?
29
![Page 29: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/29.jpg)
How do we set this up?
7. Check time is in sync
30
![Page 30: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/30.jpg)
How do we set this up?
8. Add a name mapping for AD account to the Kerberos realm
• Format is [email protected]
• Note uppercase OX.AC.UK
31
![Page 31: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/31.jpg)
How do we set this up?
32
![Page 32: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/32.jpg)
How do we set this up?
9. Reboot workstation and log in
33
![Page 33: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/33.jpg)
Demo
34
![Page 35: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/35.jpg)
Some links
ITSS Wiki:https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust
MIT:Designing an Authentication System: A Dialogue in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html
Microsoft:http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
Kerberos: The Definitive Guide (Jason Garman/O'Reilly)http://www.amazon.co.uk/Kerberos-Definitive-Guide-Jason-Garman/dp/0596004036/ref=sr_1_1/202-9173258-1666237?
ie=UTF8&s=books&qid=1182273864&sr=8-1 36
![Page 36: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/36.jpg)
Appendix A — Utilities
• 2003 Resource Kit Utilities– Kerbtray (GUI)– Klist (command line)
• Support Tools Utilities (from 2003 CD)– Ksetup (command line)– Ktpass (command line)
![Page 37: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/37.jpg)
Kerbtray
• Kerbtray displays tickets
• Picture shows TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UK
![Page 38: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/38.jpg)
Kerbtray
• Picture shows tickets for services in Active Directory Realm
![Page 39: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/39.jpg)
Klist
• Klist — as Kerbtray but command line
![Page 40: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/40.jpg)
Support Tools
• Ksetup– Set up realm information– E.g. set KDCs for a given realm
• Ktpass– Manipulating principals
![Page 41: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/41.jpg)
MIT Kerberos for Windows
• http://web.mit.edu/kerberos/dist/
• Another way of viewing tickets
• Maintains its own ticket cache
• Can import tickets from Microsoft cache
• Some applications can use these tickets
![Page 42: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/42.jpg)
Network Identity Manager
![Page 43: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/43.jpg)
Appendix B — Additional Notes
• Time must be within 5 minutes of KDC time• Logon may fail intermittently if logon allowed
before network fully initialized (XP/2003)– Group Policy setting– Computer Configuration/ Administrative
Templates/System/Logon– Enable setting "Always wait for network on
computer startup or user logon"
• Terminal Services Patch– http://support.microsoft.com/default.aspx?
scid=KB;EN-US;902336
![Page 44: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/44.jpg)
Short History of Time
• All DCs sync to PDC emulator (automatic)• Member servers and workstations sync to
Domain Controllers (automatic)• PDC emulator must be sync’d to ntp source
– Must update if you move PDC emulator role– w32tm /config /manualpeerlist: "ntpserver1 ntpserver2
ntpserver3" /syncfromflags:manual /reliable:yes /update
– http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
45
![Page 45: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/45.jpg)
Automated Account Creation
• OUCS can provide nightly update of Oxford usernames and other information to each unit– http://www.oucs.ox.ac.uk/registration/
card_data_2006.xml.ID=body.1_div.9 – Use scripts to feed into Active Directory
46
![Page 46: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/46.jpg)
AS
TGS
Full Kerberos Functionality
A
A
C
C
Client A
S S
Service B
B
B
S S KDC
47
KDC — 2 partsAS: Authentication Server
TGS: Ticket Granting Server
2: A, B
![Page 47: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/47.jpg)
Other notes of interest
• Workstation authenticates too: problems for x-realm auth.
• DC devolution — KDC patches available
• Macs
• eDir
• preauth, timestamps, lifespan of tickets etc
48
![Page 48: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/48.jpg)
Appendix C
Use Wireshark to observe the Kerberos exchange
49
![Page 49: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/49.jpg)
50
![Page 50: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/50.jpg)
51
![Page 51: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/51.jpg)
52
![Page 52: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/52.jpg)
53
![Page 53: 21 st June 2007 Active Directory and Oxford Single Sign-On Bridget Lewis – ICTST Adrian Parks – OUCS 1](https://reader035.vdocuments.mx/reader035/viewer/2022062620/551a1b2c55034654788b46a7/html5/thumbnails/53.jpg)
54