HowTos/Kerberos
Contents
Introduction
Kerberos can be used as an authentication and network security system for Scalix in a number of areas:
- Single-Server Installations (including Scalix Community Edition and CE Raw)
- External Authentication source for username/password authentication of Scalix users
- Single Sign On for domain member PCs running Microsoft Windows and Outlook
- IMAP authentication for Kerberos-capable clients
- Multi-Server Installations (in addition to the above)
- Additional network communications security for distributed SAC configurations
- Cross-Server trust relationships for SWA resource booking
The Kerberos Key Distribution Center (KDC)
For all applications of Kerberos security described above, a Kerberos KDC must be setup. This will act as a central repository for authentication data or - in Kerberos-speak - as a "trusted 3rd party".
In Scalix environments, two types of KDCs are commonly used:
- Linux-based KDC based on the MIT or Heimdal OpenSource Kerberos implementation. Note: If you have the choice, it is recommended to use the MIT implementation; MIT is the inventor of the Kerberos protocol, therefore MIT is the official "reference" implementation of the service. Heimdal was created as a European project, because MIT's software could previously not be used outside the US because of export restrictions around encryption technology involved. Most of these restrictions have been lifted, however.
- Windows-based KDC based on a Windows 2000 or 2003 Server domain controller. This is setup automatically when you configure Active Directory on your Windows server.
Each entity in Kerberos that has a identity on the network is referred to as a principal. Principals can represent users and services; each entity involved in authentication must have it's associated principal, for example if Mr. User wants to use a Scalix IMAP server, two principals are involved - one for Mr. User (a user principal) and one representing the Scalix IMAP server (a server principal).
Setting up a KDC
Setting up a Linux-based KDC
Scalix provides a script that automatically sets up a KDC on Scalix-supported Linux platforms.
Prerequisites
- On RedHat Enterprise Linux 4 (RHEL4), the following RPMs must be installed as a prerequisite: krb5-libs, krb5-workstation and krb5-server
Running the scalix KDC creation script
You create the KDC using the following command line to start the Scalix KDC creation script:
omkrbinstall -r <realm> -s <admin server> -a <admin principal> -p <admin password>
where
- <realm> is the Kerberos Realm. This is a domain-type name that groups all Kerberos objects. In environments with multiple independent KDCs that might require trust relationships for cross-Realm authentication, the name must be unique within the whole environment. The name must be in all-uppercase and can contain dots ("."). Often, a DNS-domain style name is being used to guarantee uniqueness, e.g. KERBEROS.SCALIX.COM.
- <admin server> is your Kerberos KDC's fully-qualified domain name.
- <admin principal> is a user name for your initial Kerberos KDC admin account. By convention, this is usually of the form <name>/admin, where <name> is a personal identifier for the admin. Kerberos standards recommend against using shared or generic admin accounts. You can create further admin accounts later.
- <admin password> is the initial password for the admin principal.
Setting up a Windows-based KDC
This is automatically done as soon as you activate Active Directory on a Windows 2000 or 2003 server. No further steps are necessary.