Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Security Solutions: Native-mode Kerberos

Locked

In this week’s Security Solutions TechMail column, Mike Mullins addresses the Kerberos authentication scheme for Microsoft Windows 2000 native-mode domains. Have you had problems implementing Kerberos authentication? Share your comments here.

Here is the link to the Microsoft resource mentioned in Michael Mullins’ column:

– HOW TO: Enable Kerberos Event Logging (262177):
http://support.microsoft.com/default.aspx?scid=kb;en-us;262177

*Remember to remove any spaces before pasting this link into your browser.
—-
If you’d like to learn more about the Security Solutions TechMail, point to this link and click Security Solutions to see a sample. If you’re interested, you can also sign up:
http://www.techrepublic.com/techmails.jhtml?repID=r001

Topic

What about Kerberos V for Unix?

In reply to Security Solutions: Native-mode Kerberos

This is an interesting article, but as always, makes the
assumption the whole world is running on Windows.
However, there are more OS in the world, for example
Solaris, NetBSD, FreeBSD, OpenBSD, GNU/Linux,
HP/UX, AIX, QNC, BeOS, etc.

Itwould be interesting to see articles on how to install,
configure and use Kerberos on Unix-like platforms, for
example, GNU/Linux or *BSD. I could even write such an
article.

I have recently deployed Kerberos V on my LAN. All the
machines are running GNU/Linux and OpenSSH (with its
proper Kerberos support) so I can log on to my workstation
and access all other hosts remotely using SSH without
needing to specify my password. This is single-sign on
came true, and when combined with OpenLDAP, it’s
roughly equivalent to Active Directory.

Native mode client requirements

In reply to Security Solutions: Native-mode Kerberos

I think this article contains an error, or at least a source of confusion. It seems to say that Native mode is only if all your clients & servers are W2k or higher, which is true of Kereberos, but not of Native mode. Native/Mixed refers to the presence of NT BDC’s.
From the article:
Windows 2000 domains can operate in either mixed mode (contains pre-Win2K clients or servers) or native mode (all Win2K or greater clients and servers).

Native mode means you can’t run NT Domain Controllers, but you can still run older clients & member servers.

From Windows & .Net magazine (http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7156&pg=1&show=679)
“native mode doesn?t support NT domain controllers; you can only have Win2K domain controllers. However, you can have NT workstations and member servers in native mode.”

If I’m incorrect, please clarify the client requirements of Native mode.

I’m running a Mixed mode w/ mostly NT 4.0 clients, some W2k pro, and a few 9x machines. My servers are all on W2k and I’m preparing to move to Native.

Reply To: Security Solutions: Native-mode Kerberos

In reply to Native mode client requirements

I agree with you in that if the aritcle is not an error, then it is confusing. You are correct in that all domain controlers must be W2K in order to go native. We ran in mixed mode for a few months until we upgraded all our DCs W2K. We then went native without a hitch.

I agree cont…

In reply to Reply To: Security Solutions: Native-mode Kerberos

P.S. We still have a few NT clients (after going native) and they authenticate fine.

Reply To: Security Solutions: Native-mode Kerberos

In reply to I agree cont…

That’s my biggest fear (the clients). I have almost all NT 4.0 clients. I come across articles like this that seem to say you can’t go native w/ older clients and it makes me nervous about pulling the trigger.

I’m always keeping a lookout for other people’s experiences w/ switching to Native. Seems to go smoothly, though.

Confusion??

In reply to Native mode client requirements

The part about native mode, was specific to native mode authentication. If all of the clients and servers in the authentication puzzle are Win2k or higher, then “native mode authentication – Kerberos” occurs.

I think we all realize that Native mode as MS puts it, means no NT BDC/PDCs in the same forest. Thanks for the question.
Mike

Check your facts

In reply to Security Solutions: Native-mode Kerberos

For one thing, DNS operates on UDP port 53, not TCP as stated in the article.

Someone Has already pointed out that only domain controllers need to be 2k or better to switch to native mode.

Perhaps this would be a better post in the paper mcse category.
JMHO

Check your facts on DNS

In reply to Check your facts

DNS will operate on UDP or TCP and the prefered method within a Native domain is tcp. It all comes down to how many bytes a udp packet can take.

If you’d like more indepth information on windows dns over tcp, you can get it from Q179442. In a previous newsletter, I covered the change in DNS protocol that occurred in the newer versions of bind and the benefits of using tcp rather than udp.

Thanks for the question.
Mike

[Author]

Replies