[4908] in Kerberos

home help back first fref pref prev next nref lref last post

MIT Kerberos vs DCE-Kerberos

daemon@ATHENA.MIT.EDU (Mike Friedman)
Sat Apr 1 17:13:33 1995

To: kerberos@MIT.EDU
Date: 1 Apr 1995 17:48:38 GMT
From: mikef@ack.berkeley.edu (Mike Friedman)

I have been working with Kerberos V4 and am preparing to put it in production
fairly soon;  we already have a campus application that is V4-based and will
be using our Kerberos server.  At some point, our plan is to upgrade to V5.
However, a new, large, application may be coming along that would require us 
to support DCE-Kerberos.  This is because the application vendor code isn't 
itself kerberized;  rather, it interfaces to another vendor's 'middleware' 
platform, which talks to DCE services.  In particular, authentication would 
be done via DCE-Kerberos.

So, I'd like some (objective) information that would help me understand what
we'd be getting into if our management decides to acquire the aforementioned
application along with the DCE-oriented middleware interface to Kerberos.

For example,

o  What are all the areas of incompatibility between DCE-Kerberos and MIT
   Kerberos V5?  I am familiar in general terms with some of them, but would
   like as complete a picture as possible.

o  None of us here has any experience with DCE at all.  Given that (in the
   near term at least), our only interest in DCE would be with respect to
   Kerberos authentication, I'd like to know what kind of effort is involved
   in supporting a DCE environment just to obtain the authentication services?

   (a)  Vendor issues.  Who supplies DCE and what is the quality of support?
   (b)  Available platforms -- operating system and hardware.
   (c)  Expertise, training and ongoing staff resources required on our part
        for ongoing support.  Would we need to learn much about DCE as a
        whole just to support the Kerberos part?

o  With respect to my first item above, is anyone working on resolving the
   technical incompatibilities between MIT K5 and DCE-Kerberos, so that, for
   example, one could run MIT K5 servers and authenticate DCE-based clients
   (as well as MIT K5 and K4 kerberized clients)?

Thanks for whatever information anyone can provide.

------------------------------------------------------------------------
Mike Friedman                             mikef@ack.Berkeley.EDU
Data Communication & Network Services     +1-510-642-1410
University of California at Berkeley      http://www.Berkeley.EDU/~mikef
------------------------------------------------------------------------

home help back first fref pref prev next nref lref last post