Single Sign-on
1 / 34

- PowerPoint PPT Presentation

  • Uploaded on

Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations. Objectives. Present an overview of Active Directory and how it can be integrated with campus infrastructure

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - rock

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Single Sign-onActive Directory and CU KerberosTechnical Support Provider ForumJanuary 19, 2005Moe ArifSystems AdministratorCIT Systems and Operations


  • Present an overview of Active Directory and how it can be integrated with campus infrastructure

  • Discuss the costs, benefits and challenges of campus-wide deployment

  • Get feedback, share ideas from campus admins

  • Take this information back to CIT management


  • Overview of Active Directory (AD)

    • Brief and quick list of features

    • Non-technical

  • Campus Integration

    • DNS

    • Kerberos (K5) authentication

  • Pros and Cons

  • CIT’s current infrastructure

  • Q & A

About the speaker
About the Speaker

  • Windows Systems Administrator

    • Programmer/Analyst Specialist

    • 4+ years at CIT

  • Experience

    • Currently manage 80+ servers

    • Windows 2003, 2000 (and NT)

    • Servers running databases, IIS, clusters, middleware

  • Focus

    • Manage server environment efficiently

    • Limited to controlled server environment

Active directory overview
Active Directory: Overview

  • AD is a Directory service

    • structured repository of people and resources in an organization

    • Released with Windows 2000 Server

  • LDAP Compliant (LDAPv3 protocol)

  • Logical structure

    • Consists of objects, OUs, domains, trees, forest

  • Physical structure

    • Domain controllers, LAN/WAN and sites

Active directory building blocks
Active Directory: Building Blocks

Active directory how it works
Active Directory: How it works

  • Servers that are Domain Controllers

    • AD database contains the objects

  • Schema

    • Can be extended

  • Flexible Single Master Operation (FSMO)

    • Five Roles (PDC, RID, Infrastructure, Schema Master, Domain Naming)

  • Global Catalog (GC)

    • Smaller copy of AD and searches

Active directory how it works1
Active Directory: How it works

  • DNS

    • Heavily relies on SRV records

    • Dynamically updates records

  • Kerberos

    • Kerberos authentication under the hood

    • KDC runs on Domain Controllers

  • More on DNS and Kerberos later

Active directory features
Active Directory: Features

  • Group Policy

    • Powerful feature

    • Control user and computer settings

    • Deploy to large number of systems

    • Can be applied to Site, Domain and OUs

  • Software Deployment

    • Via Group Policy (GPOs)

    • Install, upgrade, and remove

    • Control over installation via GPO

Active directory management
Active Directory: Management

  • Snap-ins and Tools for managing AD

  • MMC

    • ADUC, domains/trust, Sites/services

  • OUs to organize objects

    • Apply GPOs

    • Delegate control

  • Group Policy

    • Group Policy Management Console

    • gpupdate.exe utility (secedit in 2000)

    • gpresult.exe

Active directory management1
Active Directory: Management

  • Command-line tools and other utilities

    • Ntdsutil, ldifde, csvde

    • dsadd, dsget, dsrm, dsmod

    • ldp.exe (GUI)

    • replmon, repadmin, dcdiag

    • Admin tools (adminpak.msi)

    • Resource Kit and RK Tools (free)

    • WMI and wmic.exe

    • Many, many others

Integration dns
Integration: DNS

  • DNS is a must for AD to function

    • Run DNS servers under Windows

    • DCs (and desktops) perform dynamic updates (DDNS)

  • BIND can be set up for DDNS

    • CIT no longer offering DDNS

  • CIT recommended method


    • Search “dynamic DNS” at CIT website

Integration dns1

  • How to configure:

    • Install DNS service on your server

    • On the DC, configure DNS server addresses to be the server’s IP address (i.e. point to itself)

    • Configure desktop to point to CIT’s DNS

    • NS pointer on DNSDB points to your DNS server for these zones

      • Configured via DNSDB web page

  • _msdcs

  • _sites

  • _tcp

  • _udp

Integration: DNS

Integration dns2
Integration: DNS

  • Net Result:

    • AD servers happily update records

    • Desktops query CUDNS for SRV records

      • The records are served by the Windows DNS servers due to NS pointer

  • Register desktops with DNSDB

    • Network Registry requirement

    • Manually or batch upload

    • Non-AD integrated DNS servers have records in text file

      • Look in %systemroot%\system32\dns

Integration dns3
Integration: DNS

  • Live Demo

    • DNS Server config

    • *.dns files

    • IP configuration

    • DNSDB NS records

Integration cit kerberos
Integration: CIT Kerberos

  • AD supports cross-domain authentication to non-AD domains

  • CIT K5 realm “CIT.CORNELL.EDU”

    • One way trust

    • K5 domain is the trusted domain

  • Once established, users can login to AD domains using their NetID and Kerberos password

  • Result: Single Sign-on

Integration cit kerberos1
Integration: CIT Kerberos

How to configure

  • AD should be installed as usual

  • E-mail [email protected]

    • Need Domain name

    • Password will be given to you

  • CIT’s current practice

    • Will set up one-way trust to K5 realm

    • Technical support may be limited

      • Meeting with LDAP group, more testing, security, documentation

Integration cit kerberos2
Integration: CIT Kerberos

  • In Active Dir Domains and Trusts

    • Properties  Trusts

    • Domains trusted by this domain

      • ‘Add’ button in Win2000

      • ‘New Trust’ button in Win2003

  • Domain name: CIT.CORNELL.EDU

    • Must be uppercase

    • Will need password

    • Reboot server

Integration: CIT Kerberos

  • Need to create name mappings

    • Turn on Advanced Features in ADUC

    • User Name  Name Mappings

    • <netid>@CIT.CORNELL.EDU

    • AD accounts can be any format

    • Password can be anything (complex)

  • Install Kerberos utilities from OS CD

    • Part of Support Tools

    • <CD>:\support\tools\setup.exe

Integration: CIT Kerberos

  • Command prompt magic: ksetup.exe

    • ksetup /addkdc CIT.CORNELL.EDU

    • ksetup /addkdc CIT.CORNELL.EDU

    • Adds Kerberos domain at logon screen

      • Desktops and Servers (GPO)

  • On-line Document


    • Search “Windows 2000 Kerberos” on CIT website

Integration: CIT Kerberos

  • Must create name mappings

    • Can be scripted

  • Authentication works from domain login screen only

  • Issues with non-members

    • Drive mapping, printing etc.

    • Down level clients

    • Some applications may have problem

    • What about non-windows machines?

  • Integration: CIT Kerberos

    • Live Demo

      • Authenticate to CIT realm

      • Domain trust setup screen

      • Name mappings example

      • ksetup.exe

    Single Sign-on: Pros and cons


    • Single Sign-on

      • Same NetID/password

    • Centrally managed NetIDs for AD

      • Future synchronization with LDAP

      • Add/remove NetIDs automatically

  • CIT managed Domain Controllers

    • Better reliability, fault tolerance etc.

    • Smaller depts. don’t have to run DCs

    • Work Force Planning

  • Single Sign-on: Pros and cons

    • Decentralized management

      • Delegation of control

      • Admins have full control over OUs

      • Domains have separate admins

    • Manageability

      • GPOs to manage large number of desktops

      • Software deployment or removal

      • RIS for new systems

    Single Sign-on: Pros and cons

    • Usability

      • Powerful search capability

        • e.g. find plotter with special feature

      • Easier to setup rights across depts.

        • e.g. user with multiple appointments

    Single Sign-on: Pros and cons


    • Central Authority

      • CIT is Enterprise Admin

      • Full control over everything

        • Can be blocked to prevent accidents

        • Blocks can be easily removed

    • Security

      • Privilege elevation vulnerabilities

      • Human error and misconfiguration

      • Malicious attack

    Single Sign-on: Pros and cons

    • Schema

      • Schema extensions are forest-wide

        • Yikes!

      • Additional load on DCs, replication

        • Example: MS Exchange

      • Schema extensions are permanent

        • In Windows 2003, can be disabled

      • Some extensions may become obsolete

        • Example: software no longer used

    • So, these are bad things but …

    Single Sign-on: Pros and cons

    • Some thoughts about disadvantages

      • Schema extensions aren’t that bad

      • Similar security risks exist in separate domain

        • CIT can offer good security practices

      • CIT as Enterprise admin

        • CIT runs other more critical services that are already trusted

    • IMHO: Overall, pros outweigh the cons

    CIT’s Current Infrastructure

    • Empty Root

      • Installed in 2001

      • Place holder for

      • May be populated with NetIDs if “Go”

    • Under

      • – Internal CIT use

      • – Public labs

      • Separate domain tree for CIT managed Windows servers

    • Many larger organizations already running separate domains

    Costs, Benefits, Challenges

    • Costs:

    • Will need more powerful servers

    • Integration with LDAP

      • Project will need investigation

    • Managing Enterprise level AD

      • Non-trivial task

      • Creating OUs, objects, rights etc.

      • Everyday care and feed

      • Need a dedicated person (or 2 or 3)

    Costs, Benefits, Challenges

    • Benefits:

      • Is it really good for Cornell?

    • Challenges:

      • Convincing important folks to approve this service

      • Funding

      • Collaboration

      • What about existing separate domains?


    • Active Directory is here to stay

    • Many schools have implemented large or campus-wide ADs

    • Will a campus-wide Active Directory service (besides LDAP) benefit Cornell?


    • I don’t have all the answers

    • What are your thoughts?

    • What would you like to see at Cornell?

    • What can I take back to CIT management?

    • Should we form an Active Directory focus group and decide?

    • Questions, comments, suggestions

    Thank You

    Open Discussion, and Q&A