[19602] in Kerberos
RE: Windows 2000 Server as KDC
daemon@ATHENA.MIT.EDU (Mel Riser)
Wed Jul 16 14:25:41 2003
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Wed, 16 Jul 2003 13:24:48 -0500
Message-ID: <A0E465D8EE21FE4EA9DB3C11F48EB1FB015654BC@europa.mesas.mis>
From: "Mel Riser" <mel.riser@fxfn.com>
To: "Karl Pitrich" <karl.pitrich@fabasoft.com>, <kerberos@mit.edu>
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
Microsoft based its Kerberos implementation on the open standard that RFC 1510 defines (i.e., Kerberos V5), which means that Kerberos can provide authentication interoperability between Win2K and other OSs that support an RFC 1510-based Kerberos implementation.
Kerberos authentication interoperability comes in three flavors: A Win2K server hosts the Kerberos KDC and serves as a KDC for Win2K and other platform clients. Alternatively, a non-Win2K server hosts the Kerberos KDC and serves as a KDC for Win2K and other platform clients. Finally, you can create a cross-realm trust relationship between a Win2K domain and another platform to provide authentication interoperability. In this case, you have two KDCs-one KDC on each side of the trust relationship.
Authentication interoperability isn't simple and makes administration more complex. For example, to use a cross-realm trust to obtain authentication interoperability between Win2K and a UNIX platform, you must define an explicit mapping between each UNIX account that will access resources in your Win2K domain and a Win2K account, as Screen 5 shows. You must map each UNIX account because UNIX Kerberos account names are meaningless to Win2K domains. Windows environments use SIDs to identify accounts. UNIX accounts defined in a UNIX Kerberos domain don't have SIDs. The Security Identity Mapping dialog box shows mappings as part of a user object's advanced features.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
