Kerberos

From InteropWiki

AKA Windows integrated authentication to Internet Explorer and other Windows applications (Messenger?)
Provided by Active Directory in Windows
Provided by MIT Kerberos (default) or Heimdal Kerberos in UNIX
Used for authentication
Configuration file is /etc/krb5.conf
Data file is /etc/krb5.keytab

The Active Directory REALM name is the uppercase equivalent of the DNS domain name.

Time Synchronization

Kerberos requires time to be synchronized between computers, usually within 5 minutes.

In UNIX, setup NTP to synchronize to your Active Directory Server with the following setting in /etc/ntp.conf:

server thsdc1

Note: Make sure to comment out all other server settings.

[edit]

Ports

88 for the KDC
749 for the administration server
3268 for LDAP to global catalog server

[edit]

Encryption

Active Directory supports the following types of encryption:

DES-CRC (also called des-cbc-crc, not recommended)
DES-MD5 (also called des-cbc-md5)
RC4-HMAC (most secure, might not be support by all UNIX programs)

Corresponding /etc/krb5.conf snippet:

default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

Retrieved from "http://michael.susens-schurter.com/interop/Kerberos"

Category: Kerberos

Kerberos

From InteropWiki

Time Synchronization

Ports

Encryption

Views

Personal tools

Navigation

Search

Toolbox