Difference between revisions of "HowTos/Kerberos"
Line 8: | Line 8: | ||
** Additional network communications security for distributed SAC configurations | ** Additional network communications security for distributed SAC configurations | ||
** Cross-Server trust relationships for SWA resource booking | ** Cross-Server trust relationships for SWA resource booking | ||
+ | |||
+ | == The Kerberos Key Distribution Center (KDC) == | ||
+ | For all applications of Kerberos security described above, a Kerberos KDC must be setup. This will act as a central repository for authentication data or - in Kerberos-speak - as a "trusted 3rd party". | ||
+ | |||
+ | In Scalix environments, two types of KDCs are commonly used: | ||
+ | * Linux-based KDC based on the MIT or Heimdal OpenSource Kerberos implementation. ''Note:'' If you have the choice, it is recommended to use the MIT implementation; MIT is the inventor of the Kerberos protocol, therefore MIT is the official "reference" implementation of the service. Heimdal was created as a European project, because MIT's software could previously not be used outside the US because of export restrictions around encryption technology involved. Most of these restrictions have been lifted, however. | ||
+ | * Windows-based KDC based on a Windows 2000 or 2003 Server domain controller. This is setup automatically when you configure Active Directory on your Windows server. | ||
+ | |||
+ | Each entity in Kerberos that has a identity on the network is referred to as a principal. Principals can represent users and services; each entity involved in authentication must have it's associated principal, for example if Mr. User wants to use a Scalix IMAP server, two principals are involved - one for Mr. User (a user principal) and one representing the Scalix IMAP server (a server principal). |
Revision as of 12:26, 4 April 2006
Introduction
Kerberos can be used as an authentication and network security system for Scalix in a number of areas:
- Single-Server Installations (including Scalix Community Edition and CE Raw)
- External Authentication source for username/password authentication of Scalix users
- Single Sign On for domain member PCs running Microsoft Windows and Outlook
- IMAP authentication for Kerberos-capable clients
- Multi-Server Installations (in addition to the above)
- Additional network communications security for distributed SAC configurations
- Cross-Server trust relationships for SWA resource booking
The Kerberos Key Distribution Center (KDC)
For all applications of Kerberos security described above, a Kerberos KDC must be setup. This will act as a central repository for authentication data or - in Kerberos-speak - as a "trusted 3rd party".
In Scalix environments, two types of KDCs are commonly used:
- Linux-based KDC based on the MIT or Heimdal OpenSource Kerberos implementation. Note: If you have the choice, it is recommended to use the MIT implementation; MIT is the inventor of the Kerberos protocol, therefore MIT is the official "reference" implementation of the service. Heimdal was created as a European project, because MIT's software could previously not be used outside the US because of export restrictions around encryption technology involved. Most of these restrictions have been lifted, however.
- Windows-based KDC based on a Windows 2000 or 2003 Server domain controller. This is setup automatically when you configure Active Directory on your Windows server.
Each entity in Kerberos that has a identity on the network is referred to as a principal. Principals can represent users and services; each entity involved in authentication must have it's associated principal, for example if Mr. User wants to use a Scalix IMAP server, two principals are involved - one for Mr. User (a user principal) and one representing the Scalix IMAP server (a server principal).