Also, HP offers their own solution... Thanks, jonw
Jonathan Wackley wrote: > I thought that Micro$oft Kerberos is included in Win2000 and above. It may be > a downloadable package, I'm not sure, I've not had to install it. MIT Kerberos > is an add on that does not ship as part of the stock OS. I just saw a note > that MIT Kerberos ships with NetBSD if I'm not mistaken. Not sure about the > interoperability first hand, but in theory they should be compatible (with a > little work) as they should conform to standard RFC 1510. In the UNIX world, > there is SEAM (Solaris Enterprise authentication manager) on Solaris and DCE > (Distributed Computing Environment) for IBM, linux installations use MIT. I've > tested these installations with gssapi and for the most part they are > compatible. It is interesting to note that IBM does not license their Kerberos > solution directly, it is licensed as part of DCE. Here is a discussion about > Kerberos Components in Win2000; > > from > http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dscd_aun_ctig.htm > > Kerberos Components in Windows 2000 > > Windows 2000 implements the KDC as a domain service. It uses Active Directory > as its account database and gets additional information about security > principals from > the Global Catalog. > > As in other implementations of the Kerberos protocol, the KDC is a single > process that provides two services. > Authentication Service The authentication service issues TGTs that are good > for admission to the ticket-granting service in its domain. Before network > clients can get tickets for services, they must > obtain a TGT from the authentication service in the user's account domain. > Ticket-Granting Service The ticket-granting service issues tickets that are > good for admission to other services in its own domain or for admission to the > ticket-granting service of a trusted > domain. When clients want access to a service, they must contact the > ticket-granting service in the service's account domain, present a TGT, and ask > for a session ticket. If the client does not have a > TGT for admission to the ticket-granting service in the other domain, it must > obtain one through the referral process that begins at the ticket-granting > service in the user's account domain and ends at > the ticket-granting service in the service's account domain. > The KDC is located on every domain controller, as is the Active Directory > service. Both services are started automatically by the domain controller's > Local Security Authority (LSA) and run in the > process space of the LSA. Neither service can be stopped. Windows 2000 ensures > availability of these services by allowing each domain to have several domain > controllers, all peers. Any domain > controller can accept authentication requests and ticket-granting requests > addressed to the domain's KDC. > The security principal name used by the KDC in all Windows 2000 domains is > krbtgt, as specified by RFC 1510. An account for this security principal is > created automatically when a new > Windows 2000 domain is created. The account cannot be deleted, nor can the > account name be changed. A password is assigned to the KDC's account > automatically; this password, like the passwords > assigned to domain trust accounts, is changed on a regular schedule. The > password for the KDC's account is used to derive a secret key for encrypting > and decrypting the TGTs that the KDC issues. > The password for a domain trust account is used to derive a Kerberos > inter-realm key for encrypting and decrypting referral tickets. > All instances of the KDC in a domain use the domain account for the security > principal krbtgt. Clients address messages to a domain's KDC by including both > the service's principal name (krbtgt) and > the name of the domain. Both items of information are also used in tickets to > identify the issuing authority. > � 1985-2001 Microsoft Corporation. All rights reserved. > > Thanks, > jonw > > Klingon wrote: > > > But as I understand it is not standard on any of these operating systems. > > Lets say if I install win xp on my pc I wont have kerberos on it? If I want > > kerberos I need to install it appart from windows? Is this correct? > > > > "Jonathan Wackley" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Klingon wrote: > > > > > > > Hi > > > > > > > > I am very new to the kerberos subject. I was wondering where it is used. > > Is > > > > it used in any of our standard windows operating systems like > > > > 95,98,nt,me,2000,mx,xp? Or is it maby standard in any linux platforms > > > > (which?)? If this isn't. Which people or organizations are glad to use > > it > > > > for all safety kinds (maybe nasa?,..... I really don't know actually)? > > > > > > > > This are a lot of questions at once, but can someone please explain me > > some. > > > > > > > > Thx > > > > > > > > ________________________________________________ > > > > Kerberos mailing list [EMAIL PROTECTED] > > > > http://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > I started with kerberos in January. The system as I understand it works > > on > > > most flavours of Windows, unix (including Linux) and Macintosh. The intro > > page > > > for KfW (Kerberos for Windows) is located at; > > > > > > http://web.mit.edu/is/help/kfw/ > > > > > > For an introduction into kerberos in general can be found at; > > > > > > http://web.mit.edu/kerberos/www/ > > > > > > In a nutshell, Kerberos is used as a replacement for standard > > authentication. > > > The standard authentication mechanisms generally suffer from defects that > > can > > > be exploited (Read: Hacked) to gain unauthorized access to an otherwise > > secure > > > system. Simply, it is a mechanism to have stronger security on machines > > where > > > the old password related programs are not enough. > > > > > > jonw > > > > > > > > > ________________________________________________ > > > Kerberos mailing list [EMAIL PROTECTED] > > > http://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
