From the Inside Out: Novell eDirectory Goes Kerberos
Novell Cool Solutions: Feature
By Tim Harris
Digg This -
Posted: 2 Mar 2004
We thought it would be cool to have Novell's Product Managers produce a regular column for eDirectory Cool Solutions to give you some insight into current projects, plans, and other interesting tidbits. We're calling it "From the Inside Out." This column is from Tim Harris, Novell product manager for NMAS, SecretStore, RADIUS, Client32 and sundry other products. Look for a new column weekly. And if you have any suggestions for topics for these guys, let us know and we'll drop some hints.
Remember the days when ?logging in? meant just one thing: entering a password? Today there are dozens of ways to authenticate to a network, depending on the security model an organization chooses to employ. One of these methods that's been getting a lot of attention lately is the Kerberos protocol, which is prevalent in scientific and educational institutions, and more recently is being adopted by large enterprises as a means of providing a standard authentication mechanism for their environments.
However, despite the fact that for some time Novell has offered support for everything from biometrics to proximity cards, Novell products have generally not been able to leverage Kerberos authentication. But that's about to change.
The sudden uptake in the adoption of Kerberos can be attributed in part to the fact that Microsoft has added it as a supported authentication method for Active Directory. The fact that Kerberos has been in use for over 10 years, has a proven track record as a secure protocol and is available on virtually every operating system also adds to the appeal. While it is true that Microsoft has added proprietary extensions to the Kerberos protocol for Active Directory, it still can be leveraged in a heterogeneous environment to provide a level of single sign-on that was previously unattainable.
To allow Novell products to take similar advantage of Kerberos, Novell has created the Novell Modular Authentication Service (NMAS) Kerberos method, which delivers a means for Novell eDirectory to "trust" the authentication provided to an end user by a Kerberos Key Distribution Center (KDC), and to leverage the credentials provided as a valid means of authentication to eDirectory. The NMAS Kerberos method relies on the fact that a Kerberos environment exists already, and does not provide KDC services to eDirectory (the eDirectory Kerberos KDC will be discussed in a later article -- stay tuned). The NMAS Kerberos method has been tested to work with Kerberos environments provided by MIT and Microsoft, in addition to Novell's.
With the NMAS Kerberos method properly configured on a workstation, end users will actually use Client32 to request a Ticket Granting Ticket (TGT) from their configured KDC using their Kerberos Principal Name and their password. The client will then populate the various credential caches on the local workstation with that TGT and send the TGT across to the NMAS server to verify the validity of the ticket with the KDC and authenticate the user to eDirectory. Kerberized applications that expect to communicate with Kerberos clients from MIT or Microsoft will find the necessary TGT information already populated in the ticket cache and ready to be consumed.
The net effect of this set of interactions is that end users gain a single sign-on experience between their Kerberos-based applications and services and their eDirectory-based applications and services. In an environment containing both eDirectory and Kerberos, end users won't have to authenticate more than once, and administrators won't have to configure security policy in more than one location. In short, the NMAS Kerberos method simplifies authentication services and helps deliver on the promise of ?one Net.?
The NMAS Kerberos method will be available for download before the end of March at http://download.novell.com. It will also ship with future versions of Novell eDirectory.
FEEDBACK: Are you using Kerberos authentication in your organization? Tell me about it at firstname.lastname@example.org.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com