Active Directory and Oxford Single Sign-On
Bridget Lewis -ICTST
Adrian Parks -OUCS
Aim
How to link Active Directory to the Oxford Kerberos Single sign-on (SSO) infrastructure
What is Kerberos?
Authentication protocol
Not authorisation
Client and server mutually authenticate
Authentication vs Authorisation
Why Kerberos?
Single sign-on
Centralised authentication
Strong encryption
No passwords over the wire
Kerberos in Oxford
Herald
WebLearn
Apache/IIS webservers (via Webauth)
eDirectory
Active Directory
Open Directory
So how does it work ?
Simple, really
Like this
Essential Terminology
Principal î user or service with credentials
Ticket î issued for access to a service
Key Distribution Centre (KDC) î issues tickets for principals in a realm
Realm î set of principals in a Kerberos database, e.g. OX.AC.UK, OUCS.OX.AC.UK
TGT (ticket-granting ticket) î confirms identity; used to obtain further tickets (Single Sign-on)
Kerberos and Active Directory
Kerberos 5 implemented in AD (with added )
Every domain is a Kerberos Realm
Every domain controller is a KDC
Many services can use Kerberos
CIFS, LDAP, HTTP
Kerberos is preferred over NTLM
Trusts between Kerberos Realms
Integrating Active Directory with Oxford Kerberos Realm
Configure Active Directory Kerberos realm to trust Oxford Kerberos realm for authentication
Integrating Active Directory with Oxford Kerberos Realm
Authorization: AD uses SID, not username to determine what a user can do
Usernames must exist in AD (Identity Management)
Oxford usernames must be mapped to Active Directory users
So what does this mean in practice?
The Good …
Use Oxford account to authenticate to AD
No need to issue passwords to new students each year
Devolve password problems to OUCS
Case Study
St Hugh’ s College
~ 20 Public Access PCs
~ 600 Students, intake of ~120 per year
Passwords were issued manually each year
Integrated with Oxford KDCs
Account creation simplified via VB script
Students use Herald password
Administrative overhead reduced for ITSS
Case Study
Language Centre
User base is whole university!
Potentially 40000 users
Historically, all used one shared account
Webauth plus Oxford SSO solution
Users register for AD account via Webauth protected site
AD account generated on the fly
Log in to AD via the Oxford SSO solution
Herald password
But there are some caveats
The Bad …
Access from PCs not in domain
Including via web, e.g. Outlook WebAccess
Some students don’ t know their Oxford password (approx 13%)
Loss of external connectivity to central KDCs
…and some problems
The Ugly …
Fallback authentication is NTLM
KDCs don’ t speak NTLM
Some apps only speak NTLM
Problems integrating other operating systems (OS X, other?)
Summary
Works very well in certain scenarios
E.g. shared filestore for students
Reduced administrative overhead
Not appropriate for all environments
E.g. many services built on Active Directory (Exchange, Sharepoint, Web access to files etc.)
How do we set this up?
Full details are on the ITSS wiki:
wiki.oucs.ox.ac.uk/itss/KerberosADTrust
How do we set this up?
Check time is in sync (throughout domain and to ntp source)
See appendix for details!
How do we set this up?
2. Request a Kerberos principal from the OUCS Systems Development team ([email protected])
krbtgt/FULL.AD.DOMAIN.NAME
krbtgt/STHUGHS.OX.AC.UK
krbtgt/ZOO.OX.AC.UK
How do we set this up?
How do we set this up?
How do we set this up?
4. Check time is in sync
How do we set this up?
5. On all domain controllers, member servers and workstations, install the Windows Support Tools and run:
ksetup /addkdc OX.AC.UK kdc0.ox.ac.uk
ksetup /addkdc OX.AC.UK kdc1.ox.ac.uk
ksetup /addkdc OX.AC.UK kdc2.ox.ac.uk
Or use a registry file/Group Policy (see wiki)
How do we set this up?
How do we set this up?
6. Create a one-way, outgoing, transitive trust between the Kerberos realm OX.AC.UK and the Active Directory forest
Use the password set in step 3.
How do we set this up?
How do we set this up?
7. Check time is in sync
How do we set this up?
8. Add a name mapping for AD account to the Kerberos realm
Format is [email protected]
Note uppercase OX.AC.UK
How do we set this up?
How do we set this up?
9. Reboot workstation and log in
Demo
Contact details
Some links
ITSS Wiki:
wiki.oucs.ox.ac.uk/itss/KerberosADTrust
MIT:
Designing an Authentication System: A Dialogue in Four Scenes
web.mit.edu/kerberos/www/dialogue.html
Microsoft:
www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
Kerberos: The Definitive Guide (Jason Garman/O’Reilly)
Appendix A î Utilities
2003 Resource Kit Utilities
Kerbtray (GUI)
Klist (command line)
Support Tools Utilities (from 2003 CD)
Ksetup (command line)
Ktpass (command line)
Kerbtray
Kerbtray displays tickets
Picture shows TGTs for ITSSCONFADDEMO.OX.AC.UK and OX.AC.UK
Kerbtray
Picture shows tickets for services in Active Directory Realm
Klist
Klist î as Kerbtray but command line
Support Tools
Ksetup
Set up realm information
E.g. set KDCs for a given realm
Ktpass
Manipulating principals
MIT Kerberos for Windows
web.mit.edu/kerberos/dist/
Another way of viewing tickets
Maintains its own ticket cache
Can import tickets from Microsoft cache
Some applications can use these tickets
Network Identity Manager
Appendix B î Additional Notes
Time must be within 5 minutes of KDC time
Logon may fail intermittently if logon allowed before network fully initialized (XP/2003)
Group Policy setting
Computer Configuration/ Administrative Templates/System/Logon
Enable setting “Always wait for network on computer startup or user logon”
Terminal Services Patch
support.microsoft.com/default.aspx?scid=KB;EN-US;902336
Short History of Time
All DCs sync to PDC emulator (automatic)
Member servers and workstations sync to Domain Controllers (automatic)
PDC emulator must be sync’ d to ntp source
Must update if you move PDC emulator role
w32tm /config /manualpeerlist: “ntpserver1 ntpserver2 ntpserver3” /syncfromflags:manual /reliable:yes /update
technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
Automated Account Creation
OUCS can provide nightly update of Oxford usernames and other information to each unit
www.oucs.ox.ac.uk/registration/card_data_2006.xml.ID=body.1_div.9
Use scripts to feed into Active Directory
Other notes of interest
Workstation authenticates too: problems for x-realm auth.
DC devolution î KDC patches available
Macs
eDir
preauth, timestamps, lifespan of tickets etc
Appendix C
Use Wireshark to observe the Kerberos exchange