Kerberos Unification

Currently at CERN there exist two completely separate Kerberos realms - but both use the "CERN.CH" realm name. One is ran on Heimdal Kerberos and the other on Active Directory, with the KDC's of each realm only able to authenticate CERN users and services that exist within the same realm. Cross-realm trust is not possible in this setup.

The purpose of this project is to form a unified Kerberos based system that is capable of authenticating all computer platforms and key services at CERN. This will involve assessing the existing access control system, investigating the options for a unified solution and providing management with the information they need to make a decision on what candidate solution to implement. The chosen alternative will then be implemented. Please see KerberosFuture for technical information on the various Kerberos based services at CERN.

Project Goals

The reasons for undertaking this project are as follows:

• To increase security, by minimizing / eliminating as far as possible the need for password entry in the process of authentication, and thus decrease the chances of the passwords being intercepted and stolen.
• To improve usability of CERN services, by providing seamless integrated authentication across platforms.
• To potentially reduce costs, by removing duplicate services (KDC Servers).
• To ensure long term maintainability of the new system, by using industry standards as far as possible.

Project Scope

The scope of this project is currently limited to the authentication of principals (establishing that they are who they claim to be). It does not extend to the authorization (establishing that a principal has sufficient privilege to carry out a given task, or use a service). The scope is also limited to clients and services that are running on CERN-IT supported operating systems.

Requirements and Candidate Solutions

Below is a list of the possible alternatives to the current system. Please see the attached document Kerberos_System_Requirements.doc for a description of the alternatives listed, and an overview of the functionality and services that any replacement solution should offer.

• Unify Under Active Directory - ActiveDirectoryInvestigation
• Unify Under MIT/Heimdal Kerberos - StatementFromMicrosoft
• Rename Active Directory Realm and Form Trust Relationship Between the Two Realms - ADDomainRenameInvestigation
• Rename AFS Realm and Form Trust Relationship Between the Two Realms - AfsRealmRenameInvestigation
• Retain Current Solution and Synchronize Services - Discarded
• Users/AFS Services under AFS Realm, Windows Services in AD Realm - Discarded
• Retain Current Solution and Setup Dual Ticket Caches for Clients - Discarded

Authentication Setups Employed by Other Organisations

OrganisationsWithSimilarSetups describes the authentication setups of organisations that have similar authentication requirements to CERN. The information was obtained from members of the respective organisations.

Milestones

Reached:

• A set of requirements for any replacement solution has been prioritised and agreed upon by stakeholders.
• A list of alternatives to be considered and tested has been established and agreed upon by stakeholders
• All proposed solutions have been investigated and the findings agreed by stakeholders
• Management has decided on one of the proposed solutions

Remaining:

• The proposed solution has been implemented - ImplementationPlanAndProgress
• The proposed solution has been put into production - TestingAndRollout

How Tos

Here are some areas where you might be able to benifit from the Kerberos realm unification

Linux

MigratingToActiveDirectory - How to join the Active Directory realm
ConfigureYourEmailClientForKerberosAuthentication - How to use Kerberos authentication with your e-mail client (complete MigratingToActiveDirectory first).
MigrationFAQ

Windows

PuttyWithKerberos - How you can logon to a Linux box from a Windows box using putty
InstallingOpenAFSClient on Windows - How to use OpenAFS from a Windows machine using your Windows credentials

Additional Information

InitialTestSetupInformation - A few notes, relating to some initial tests
RequestingAdditionalKerberosKeysForActiveDirectory - (OLD) How to get Kerberos keys for a service like http or cvs, or user principal's key in Active Directory (complete MigratingToActiveDirectory first).
CastorQuickReference
CastorWorkLog