Single Sign-on Active Directory and CU Kerberos Technical Support Provider Forum January 19, 2005 Moe Arif Systems Administrator CIT Systems and Operations.

Single Sign-onSingle Sign-onActive Directory and CU KerberosActive Directory and CU Kerberos

Technical Support Provider ForumTechnical Support Provider ForumJanuary 19, 2005January 19, 2005

Moe ArifMoe ArifSystems AdministratorSystems Administrator

CIT Systems and OperationsCIT Systems and Operations

ObjectivesObjectives

Present an overview of Active Directory Present an overview of Active Directory and how it can be integrated with campus and how it can be integrated with campus infrastructureinfrastructure

Discuss the costs, benefits and challenges Discuss the costs, benefits and challenges of campus-wide deploymentof campus-wide deployment

Get feedback, share ideas from campus Get feedback, share ideas from campus adminsadmins

Take this information back to CIT Take this information back to CIT managementmanagement

Overview of Active Directory (AD)Overview of Active Directory (AD) Brief and quick list of featuresBrief and quick list of features Non-technicalNon-technical

Campus IntegrationCampus Integration DNSDNS Kerberos (K5) authenticationKerberos (K5) authentication

Pros and ConsPros and Cons CIT’s current infrastructureCIT’s current infrastructure Q & AQ & A

AgendaAgenda

Windows Systems AdministratorWindows Systems Administrator Programmer/Analyst SpecialistProgrammer/Analyst Specialist 4+ years at CIT4+ years at CIT

ExperienceExperience Currently manage 80+ serversCurrently manage 80+ servers Windows 2003, 2000 (and NT)Windows 2003, 2000 (and NT) Servers running databases, IIS, clusters, Servers running databases, IIS, clusters,

middlewaremiddleware

FocusFocus Manage server environment efficientlyManage server environment efficiently Limited to controlled server environmentLimited to controlled server environment

About the SpeakerAbout the Speaker

Active Directory: OverviewActive Directory: Overview

AD is a Directory serviceAD is a Directory service structured repository of people and structured repository of people and

resources in an organizationresources in an organization Released with Windows 2000 ServerReleased with Windows 2000 Server

LDAP Compliant (LDAPv3 protocol)LDAP Compliant (LDAPv3 protocol) Logical structureLogical structure

Consists of objects, OUs, domains, Consists of objects, OUs, domains, trees, foresttrees, forest

Physical structurePhysical structure Domain controllers, LAN/WAN and Domain controllers, LAN/WAN and

sitessites

Active Directory: Active Directory: Building BlocksBuilding Blocks

Active Directory: How it worksActive Directory: How it works

Servers that are Domain ControllersServers that are Domain Controllers AD database contains the objectsAD database contains the objects

SchemaSchema Can be extendedCan be extended

Flexible Single Master Operation Flexible Single Master Operation (FSMO)(FSMO) Five Roles (PDC, RID, Infrastructure, Five Roles (PDC, RID, Infrastructure,

Schema Master, Domain Naming)Schema Master, Domain Naming)

Global Catalog (GC)Global Catalog (GC) Smaller copy of AD and searchesSmaller copy of AD and searches

Active Directory: How it worksActive Directory: How it works

DNS DNS Heavily relies on SRV recordsHeavily relies on SRV records Dynamically updates recordsDynamically updates records

KerberosKerberos Kerberos authentication under the hoodKerberos authentication under the hood KDC runs on Domain ControllersKDC runs on Domain Controllers

More on DNS and Kerberos later More on DNS and Kerberos later

Active Directory: FeaturesActive Directory: Features

Group PolicyGroup Policy Powerful featurePowerful feature Control user and computer settingsControl user and computer settings Deploy to large number of systemsDeploy to large number of systems Can be applied to Site, Domain and OUsCan be applied to Site, Domain and OUs

Software DeploymentSoftware Deployment Via Group Policy (GPOs)Via Group Policy (GPOs) Install, upgrade, and removeInstall, upgrade, and remove Control over installation via GPOControl over installation via GPO

Active Directory: ManagementActive Directory: Management

Snap-ins and Tools for managing ADSnap-ins and Tools for managing AD MMCMMC

ADUC, domains/trust, Sites/servicesADUC, domains/trust, Sites/services

OUs to organize objectsOUs to organize objects Apply GPOsApply GPOs Delegate controlDelegate control

Group PolicyGroup Policy Group Policy Management ConsoleGroup Policy Management Console gpupdate.exe utility (secedit in 2000)gpupdate.exe utility (secedit in 2000) gpresult.exegpresult.exe

Active Directory: ManagementActive Directory: Management

Command-line tools and other Command-line tools and other utilitiesutilities Ntdsutil, ldifde, csvdeNtdsutil, ldifde, csvde dsadd, dsget, dsrm, dsmoddsadd, dsget, dsrm, dsmod ldp.exe (GUI)ldp.exe (GUI) replmon, repadmin, dcdiagreplmon, repadmin, dcdiag Admin tools (adminpak.msi)Admin tools (adminpak.msi) Resource Kit and RK Tools (free)Resource Kit and RK Tools (free) WMI and wmic.exeWMI and wmic.exe Many, many othersMany, many others

Integration: DNSIntegration: DNS

DNS is a must for AD to functionDNS is a must for AD to function Run DNS servers under WindowsRun DNS servers under Windows DCs (and desktops) perform dynamic DCs (and desktops) perform dynamic

updates (DDNS)updates (DDNS)

BIND can be set up for DDNSBIND can be set up for DDNS CIT no longer offering DDNSCIT no longer offering DDNS

CIT recommended methodCIT recommended method http://www.cit.cornell.edu/computer/system/wihttp://www.cit.cornell.edu/computer/system/wi

n2000/dns/n2000/dns/ Search “dynamic DNS” at CIT websiteSearch “dynamic DNS” at CIT website

Integration: DNSIntegration: DNS How to configure:How to configure:

Install DNS service on your serverInstall DNS service on your server On the DC, configure DNS server On the DC, configure DNS server

addresses to be the server’s IP address addresses to be the server’s IP address (i.e. point to itself)(i.e. point to itself)

Configure desktop to point to CIT’s DNSConfigure desktop to point to CIT’s DNS NS pointer on DNSDB points to your DNS NS pointer on DNSDB points to your DNS

server for these zonesserver for these zones

Configured via DNSDB web pageConfigured via DNSDB web page

_tcp_tcp _udp_udp

_msdcs_msdcs _sites_sites

Net Result:Net Result: AD servers happily update recordsAD servers happily update records Desktops query CUDNS for SRV recordsDesktops query CUDNS for SRV records

The records are served by the Windows The records are served by the Windows DNS servers due to NS pointerDNS servers due to NS pointer

Register desktops with DNSDBRegister desktops with DNSDB Network Registry requirementNetwork Registry requirement Manually or batch uploadManually or batch upload Non-AD integrated DNS servers have Non-AD integrated DNS servers have

records in text filerecords in text file Look in %systemroot%\system32\dnsLook in %systemroot%\system32\dns

Integration: DNSIntegration: DNS

Integration: DNSIntegration: DNS

Live DemoLive Demo DNS Server configDNS Server config *.dns files*.dns files IP configurationIP configuration DNSDB NS recordsDNSDB NS records

Integration: CIT KerberosIntegration: CIT Kerberos

AD supports cross-domain AD supports cross-domain authentication to non-AD domainsauthentication to non-AD domains

CIT K5 realm “CIT.CORNELL.EDU”CIT K5 realm “CIT.CORNELL.EDU” One way trustOne way trust K5 domain is the trusted domainK5 domain is the trusted domain

Once established, users can login to Once established, users can login to AD domains using their NetID and AD domains using their NetID and Kerberos passwordKerberos password

Result: Single Sign-onResult: Single Sign-on

Integration: CIT KerberosIntegration: CIT Kerberos

How to configureHow to configure

AD should be installed as usualAD should be installed as usual E-mail E-mail [email protected]@cornell.edu

Need Domain nameNeed Domain name Password will be given to youPassword will be given to you

CIT’s current practiceCIT’s current practice Will set up one-way trust to K5 realmWill set up one-way trust to K5 realm Technical support may be limitedTechnical support may be limited

Meeting with LDAP group, more Meeting with LDAP group, more testing, security, documentationtesting, security, documentation

Integration: CIT KerberosIntegration: CIT Kerberos

In Active Dir Domains and TrustsIn Active Dir Domains and Trusts Properties Properties Trusts Trusts Domains trusted by this domainDomains trusted by this domain

‘‘Add’ button in Win2000 Add’ button in Win2000 ‘‘New Trust’ button in Win2003New Trust’ button in Win2003

Domain name: CIT.CORNELL.EDUDomain name: CIT.CORNELL.EDU Must be uppercaseMust be uppercase Will need passwordWill need password Reboot serverReboot server

Integration: CIT KerberosIntegration: CIT Kerberos

Need to create name mappingsNeed to create name mappings Turn on Advanced Features in ADUCTurn on Advanced Features in ADUC User Name User Name Name Mappings Name Mappings <netid>@CIT.CORNELL.EDU<netid>@CIT.CORNELL.EDU AD accounts can be any formatAD accounts can be any format Password can be anything (complex)Password can be anything (complex)

Install Kerberos utilities from OS CDInstall Kerberos utilities from OS CD Part of Support ToolsPart of Support Tools <CD>:\support\tools\setup.exe<CD>:\support\tools\setup.exe

Integration: CIT KerberosIntegration: CIT Kerberos

Command prompt magic: ksetup.exeCommand prompt magic: ksetup.exe ksetup /addkdc CIT.CORNELL.EDU ksetup /addkdc CIT.CORNELL.EDU

kerberos.cit.cornell.edukerberos.cit.cornell.edu ksetup /addkdc CIT.CORNELL.EDU ksetup /addkdc CIT.CORNELL.EDU

kerberos2.cit.cornell.edukerberos2.cit.cornell.edu

Adds Kerberos domain at logon screenAdds Kerberos domain at logon screen Desktops and Servers (GPO)Desktops and Servers (GPO)

On-line DocumentOn-line Document http://www.cit.cornell.edu/computer/syshttp://www.cit.cornell.edu/computer/sys

tem/win2000/kerberos/tem/win2000/kerberos/ Search “Windows 2000 Kerberos” on Search “Windows 2000 Kerberos” on

CIT websiteCIT website

Integration: CIT KerberosIntegration: CIT Kerberos

Must create name mappingsMust create name mappings Can be scriptedCan be scripted

Authentication works from domain Authentication works from domain login screen onlylogin screen only

Issues with non-membersIssues with non-members Drive mapping, printing etc.Drive mapping, printing etc. Down level clientsDown level clients Some applications may have problemSome applications may have problem What about non-windows machines?What about non-windows machines?

Integration: CIT KerberosIntegration: CIT Kerberos

Live DemoLive Demo Authenticate to CIT realmAuthenticate to CIT realm Domain trust setup screenDomain trust setup screen Name mappings exampleName mappings example ksetup.exeksetup.exe

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

AdvantagesAdvantages

Single Sign-onSingle Sign-on Same NetID/passwordSame NetID/password

Centrally managed NetIDs for ADCentrally managed NetIDs for AD Future synchronization with LDAPFuture synchronization with LDAP Add/remove NetIDs automaticallyAdd/remove NetIDs automatically

CIT managed Domain ControllersCIT managed Domain Controllers Better reliability, fault tolerance etc.Better reliability, fault tolerance etc. Smaller depts. don’t have to run DCsSmaller depts. don’t have to run DCs Work Force PlanningWork Force Planning

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

Decentralized managementDecentralized management Delegation of controlDelegation of control Admins have full control over OUsAdmins have full control over OUs Domains have separate adminsDomains have separate admins

ManageabilityManageability GPOs to manage large number of GPOs to manage large number of

desktopsdesktops Software deployment or removalSoftware deployment or removal RIS for new systemsRIS for new systems

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

UsabilityUsability Powerful search capabilityPowerful search capability

e.g. find plotter with special featuree.g. find plotter with special feature Easier to setup rights across depts.Easier to setup rights across depts.

e.g. user with multiple appointmentse.g. user with multiple appointments

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

DisadvantagesDisadvantages

Central AuthorityCentral Authority CIT is Enterprise AdminCIT is Enterprise Admin Full control over everythingFull control over everything

Can be blocked to prevent accidentsCan be blocked to prevent accidents Blocks can be easily removedBlocks can be easily removed

SecuritySecurity Privilege elevation vulnerabilitiesPrivilege elevation vulnerabilities Human error and misconfigurationHuman error and misconfiguration Malicious attackMalicious attack

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

SchemaSchema Schema extensions are forest-wideSchema extensions are forest-wide

Yikes!Yikes! Additional load on DCs, replicationAdditional load on DCs, replication

Example: MS ExchangeExample: MS Exchange Schema extensions are permanentSchema extensions are permanent

In Windows 2003, can be disabledIn Windows 2003, can be disabled Some extensions may become obsoleteSome extensions may become obsolete

Example: software no longer usedExample: software no longer used

So, these are So, these are bbad thingsad things but …but …

Single Sign-on: Pros and consSingle Sign-on: Pros and cons

Some thoughts about disadvantagesSome thoughts about disadvantages Schema extensions aren’t that badSchema extensions aren’t that bad Similar security risks exist in separate Similar security risks exist in separate

domaindomain CIT can offer good security practicesCIT can offer good security practices

CIT as Enterprise adminCIT as Enterprise admin CIT runs other more critical services CIT runs other more critical services

that are already trustedthat are already trusted

IMHO: Overall, pros outweigh the IMHO: Overall, pros outweigh the conscons

CIT’s Current InfrastructureCIT’s Current Infrastructure

Empty RootEmpty Root Installed in 2001Installed in 2001 Place holder for cornell.eduPlace holder for cornell.edu May be populated with NetIDs if “Go”May be populated with NetIDs if “Go”

Under cornell.eduUnder cornell.edu citstaff.cornell.edu – Internal CIT usecitstaff.cornell.edu – Internal CIT use citlabs.cornell.edu – Public labscitlabs.cornell.edu – Public labs Separate domain tree for CIT managed Separate domain tree for CIT managed

Windows serversWindows servers

Many larger organizations already Many larger organizations already running separate domainsrunning separate domains

Costs, Benefits, ChallengesCosts, Benefits, Challenges

Costs:Costs: Will need more powerful serversWill need more powerful servers Integration with LDAPIntegration with LDAP

Project will need investigationProject will need investigation

Managing Enterprise level ADManaging Enterprise level AD Non-trivial taskNon-trivial task Creating OUs, objects, rights etc.Creating OUs, objects, rights etc. Everyday care and feedEveryday care and feed Need a dedicated person (or 2 or 3)Need a dedicated person (or 2 or 3)

Costs, Benefits, ChallengesCosts, Benefits, Challenges

Benefits:Benefits: Is it really good for Cornell?Is it really good for Cornell?

Challenges:Challenges: Convincing important folks to approve Convincing important folks to approve

this servicethis service FundingFunding CollaborationCollaboration What about existing separate domains?What about existing separate domains?

ConclusionConclusion

Active Directory is here to stayActive Directory is here to stay Many schools have implemented Many schools have implemented

large or campus-wide ADslarge or campus-wide ADs Will a campus-wide Active Directory Will a campus-wide Active Directory

service (besides LDAP) benefit service (besides LDAP) benefit Cornell?Cornell?

ConclusionConclusion

I don’t have all the answersI don’t have all the answers What are your thoughts?What are your thoughts? What would you like to see at What would you like to see at

Cornell?Cornell? What can I take back to CIT What can I take back to CIT

management?management? Should we form an Active Directory Should we form an Active Directory

focus group and decide?focus group and decide? Questions, comments, suggestionsQuestions, comments, suggestions

e-mail: [email protected]: [email protected]

Thank YouThank You

Open Discussion, and Q&AOpen Discussion, and Q&A