Single Sign-on
This presentation is the property of its rightful owner.
Sponsored Links
1 / 34

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on
  • Presentation posted in: General

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations. Objectives. Present an overview of Active Directory and how it can be integrated with campus infrastructure

Download Presentation

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

Single Sign-onActive Directory and CU KerberosTechnical Support Provider ForumJanuary 19, 2005Moe ArifSystems AdministratorCIT Systems and Operations


Objectives

Objectives

  • Present an overview of Active Directory and how it can be integrated with campus infrastructure

  • Discuss the costs, benefits and challenges of campus-wide deployment

  • Get feedback, share ideas from campus admins

  • Take this information back to CIT management


Agenda

Agenda

  • Overview of Active Directory (AD)

    • Brief and quick list of features

    • Non-technical

  • Campus Integration

    • DNS

    • Kerberos (K5) authentication

  • Pros and Cons

  • CIT’s current infrastructure

  • Q & A


About the speaker

About the Speaker

  • Windows Systems Administrator

    • Programmer/Analyst Specialist

    • 4+ years at CIT

  • Experience

    • Currently manage 80+ servers

    • Windows 2003, 2000 (and NT)

    • Servers running databases, IIS, clusters, middleware

  • Focus

    • Manage server environment efficiently

    • Limited to controlled server environment


Active directory overview

Active Directory: Overview

  • AD is a Directory service

    • structured repository of people and resources in an organization

    • Released with Windows 2000 Server

  • LDAP Compliant (LDAPv3 protocol)

  • Logical structure

    • Consists of objects, OUs, domains, trees, forest

  • Physical structure

    • Domain controllers, LAN/WAN and sites


Active directory building blocks

Active Directory: Building Blocks


Active directory how it works

Active Directory: How it works

  • Servers that are Domain Controllers

    • AD database contains the objects

  • Schema

    • Can be extended

  • Flexible Single Master Operation (FSMO)

    • Five Roles (PDC, RID, Infrastructure, Schema Master, Domain Naming)

  • Global Catalog (GC)

    • Smaller copy of AD and searches


Active directory how it works1

Active Directory: How it works

  • DNS

    • Heavily relies on SRV records

    • Dynamically updates records

  • Kerberos

    • Kerberos authentication under the hood

    • KDC runs on Domain Controllers

  • More on DNS and Kerberos later


Active directory features

Active Directory: Features

  • Group Policy

    • Powerful feature

    • Control user and computer settings

    • Deploy to large number of systems

    • Can be applied to Site, Domain and OUs

  • Software Deployment

    • Via Group Policy (GPOs)

    • Install, upgrade, and remove

    • Control over installation via GPO


Active directory management

Active Directory: Management

  • Snap-ins and Tools for managing AD

  • MMC

    • ADUC, domains/trust, Sites/services

  • OUs to organize objects

    • Apply GPOs

    • Delegate control

  • Group Policy

    • Group Policy Management Console

    • gpupdate.exe utility (secedit in 2000)

    • gpresult.exe


Active directory management1

Active Directory: Management

  • Command-line tools and other utilities

    • Ntdsutil, ldifde, csvde

    • dsadd, dsget, dsrm, dsmod

    • ldp.exe (GUI)

    • replmon, repadmin, dcdiag

    • Admin tools (adminpak.msi)

    • Resource Kit and RK Tools (free)

    • WMI and wmic.exe

    • Many, many others


Integration dns

Integration: DNS

  • DNS is a must for AD to function

    • Run DNS servers under Windows

    • DCs (and desktops) perform dynamic updates (DDNS)

  • BIND can be set up for DDNS

    • CIT no longer offering DDNS

  • CIT recommended method

    • http://www.cit.cornell.edu/computer/system/win2000/dns/

    • Search “dynamic DNS” at CIT website


Integration dns1

  • How to configure:

    • Install DNS service on your server

    • On the DC, configure DNS server addresses to be the server’s IP address (i.e. point to itself)

    • Configure desktop to point to CIT’s DNS

    • NS pointer on DNSDB points to your DNS server for these zones

      • Configured via DNSDB web page

  • _msdcs

  • _sites

  • _tcp

  • _udp

Integration: DNS


Integration dns2

Integration: DNS

  • Net Result:

    • AD servers happily update records

    • Desktops query CUDNS for SRV records

      • The records are served by the Windows DNS servers due to NS pointer

  • Register desktops with DNSDB

    • Network Registry requirement

    • Manually or batch upload

    • Non-AD integrated DNS servers have records in text file

      • Look in %systemroot%\system32\dns


Integration dns3

Integration: DNS

  • Live Demo

    • DNS Server config

    • *.dns files

    • IP configuration

    • DNSDB NS records


Integration cit kerberos

Integration: CIT Kerberos

  • AD supports cross-domain authentication to non-AD domains

  • CIT K5 realm “CIT.CORNELL.EDU”

    • One way trust

    • K5 domain is the trusted domain

  • Once established, users can login to AD domains using their NetID and Kerberos password

  • Result: Single Sign-on


Integration cit kerberos1

Integration: CIT Kerberos

How to configure

  • AD should be installed as usual

  • E-mail [email protected]

    • Need Domain name

    • Password will be given to you

  • CIT’s current practice

    • Will set up one-way trust to K5 realm

    • Technical support may be limited

      • Meeting with LDAP group, more testing, security, documentation


Integration cit kerberos2

Integration: CIT Kerberos

  • In Active Dir Domains and Trusts

    • Properties  Trusts

    • Domains trusted by this domain

      • ‘Add’ button in Win2000

      • ‘New Trust’ button in Win2003

  • Domain name: CIT.CORNELL.EDU

    • Must be uppercase

    • Will need password

    • Reboot server


Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

Integration: CIT Kerberos

  • Need to create name mappings

    • Turn on Advanced Features in ADUC

    • User Name  Name Mappings

    • <netid>@CIT.CORNELL.EDU

    • AD accounts can be any format

    • Password can be anything (complex)

  • Install Kerberos utilities from OS CD

    • Part of Support Tools

    • <CD>:\support\tools\setup.exe


Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

Integration: CIT Kerberos

  • Command prompt magic: ksetup.exe

    • ksetup /addkdc CIT.CORNELL.EDU kerberos.cit.cornell.edu

    • ksetup /addkdc CIT.CORNELL.EDU kerberos2.cit.cornell.edu

    • Adds Kerberos domain at logon screen

      • Desktops and Servers (GPO)

  • On-line Document

    • http://www.cit.cornell.edu/computer/system/win2000/kerberos/

    • Search “Windows 2000 Kerberos” on CIT website


Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

Integration: CIT Kerberos

  • Must create name mappings

    • Can be scripted

  • Authentication works from domain login screen only

  • Issues with non-members

    • Drive mapping, printing etc.

    • Down level clients

    • Some applications may have problem

    • What about non-windows machines?


  • Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Integration: CIT Kerberos

    • Live Demo

      • Authenticate to CIT realm

      • Domain trust setup screen

      • Name mappings example

      • ksetup.exe


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    Advantages

    • Single Sign-on

      • Same NetID/password

    • Centrally managed NetIDs for AD

      • Future synchronization with LDAP

      • Add/remove NetIDs automatically

  • CIT managed Domain Controllers

    • Better reliability, fault tolerance etc.

    • Smaller depts. don’t have to run DCs

    • Work Force Planning


  • Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    • Decentralized management

      • Delegation of control

      • Admins have full control over OUs

      • Domains have separate admins

    • Manageability

      • GPOs to manage large number of desktops

      • Software deployment or removal

      • RIS for new systems


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    • Usability

      • Powerful search capability

        • e.g. find plotter with special feature

      • Easier to setup rights across depts.

        • e.g. user with multiple appointments


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    Disadvantages

    • Central Authority

      • CIT is Enterprise Admin

      • Full control over everything

        • Can be blocked to prevent accidents

        • Blocks can be easily removed

    • Security

      • Privilege elevation vulnerabilities

      • Human error and misconfiguration

      • Malicious attack


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    • Schema

      • Schema extensions are forest-wide

        • Yikes!

      • Additional load on DCs, replication

        • Example: MS Exchange

      • Schema extensions are permanent

        • In Windows 2003, can be disabled

      • Some extensions may become obsolete

        • Example: software no longer used

    • So, these are bad things but …


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Single Sign-on: Pros and cons

    • Some thoughts about disadvantages

      • Schema extensions aren’t that bad

      • Similar security risks exist in separate domain

        • CIT can offer good security practices

      • CIT as Enterprise admin

        • CIT runs other more critical services that are already trusted

    • IMHO: Overall, pros outweigh the cons


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    CIT’s Current Infrastructure

    • Empty Root

      • Installed in 2001

      • Place holder for cornell.edu

      • May be populated with NetIDs if “Go”

    • Under cornell.edu

      • citstaff.cornell.edu – Internal CIT use

      • citlabs.cornell.edu – Public labs

      • Separate domain tree for CIT managed Windows servers

    • Many larger organizations already running separate domains


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Costs, Benefits, Challenges

    • Costs:

    • Will need more powerful servers

    • Integration with LDAP

      • Project will need investigation

    • Managing Enterprise level AD

      • Non-trivial task

      • Creating OUs, objects, rights etc.

      • Everyday care and feed

      • Need a dedicated person (or 2 or 3)


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Costs, Benefits, Challenges

    • Benefits:

      • Is it really good for Cornell?

    • Challenges:

      • Convincing important folks to approve this service

      • Funding

      • Collaboration

      • What about existing separate domains?


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Conclusion

    • Active Directory is here to stay

    • Many schools have implemented large or campus-wide ADs

    • Will a campus-wide Active Directory service (besides LDAP) benefit Cornell?


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Conclusion

    • I don’t have all the answers

    • What are your thoughts?

    • What would you like to see at Cornell?

    • What can I take back to CIT management?

    • Should we form an Active Directory focus group and decide?

    • Questions, comments, suggestions

      • e-mail: [email protected]


    Single sign on active directory and cu kerberos technical support provider forum january 19 2005 moe arif systems ad

    Thank You

    Open Discussion, and Q&A


  • Login