HowTos/Kerberos

From Scalix Wiki
Revision as of 13:21, 4 April 2006 by Florian (Talk | contribs)

Jump to: navigation, search

Introduction

Kerberos can be used as an authentication and network security system for Scalix in a number of areas:

  • Single-Server Installations (including Scalix Community Edition and CE Raw)
    • External Authentication source for username/password authentication of Scalix users
    • Single Sign On for domain member PCs running Microsoft Windows and Outlook
    • IMAP authentication for Kerberos-capable clients
  • Multi-Server Installations (in addition to the above)
    • Additional network communications security for distributed SAC configurations
    • Cross-Server trust relationships for SWA resource booking

The Kerberos Key Distribution Center (KDC)

For all applications of Kerberos security described above, a Kerberos KDC must be setup. This will act as a central repository for authentication data or - in Kerberos-speak - as a "trusted 3rd party".

In Scalix environments, two types of KDCs are commonly used:

  • Linux-based KDC based on the MIT or Heimdal OpenSource Kerberos implementation. Note: If you have the choice, it is recommended to use the MIT implementation; MIT is the inventor of the Kerberos protocol, therefore MIT is the official "reference" implementation of the service. Heimdal was created as a European project, because MIT's software could previously not be used outside the US because of export restrictions around encryption technology involved. Most of these restrictions have been lifted, however.
  • Windows-based KDC based on a Windows 2000 or 2003 Server domain controller. This is setup automatically when you configure Active Directory on your Windows server.

Each entity in Kerberos that has a identity on the network is referred to as a principal. Principals can represent users and services; each entity involved in authentication must have it's associated principal, for example if Mr. User wants to use a Scalix IMAP server, two principals are involved - one for Mr. User (a user principal) and one representing the Scalix IMAP server (a server principal).

Setting up a KDC

Setting up a Linux-based KDC

Scalix provides a script that automatically sets up a KDC on Scalix-supported Linux platforms.

Prerequisites

  • On RedHat Enterprise Linux 4 (RHEL4), the following RPMs must be installed as a prerequisite: krb5-libs, krb5-workstation and krb5-server

Running the scalix KDC creation script

You create the KDC using the following command line to start the Scalix KDC creation script: 

omkrbinstall -r <realm> -s <admin server> -a <admin principal> -p <admin password>

where

  • <realm> is the Kerberos Realm. This is a domain-type name that groups all Kerberos objects. In environments with multiple independent KDCs that might require trust relationships for cross-Realm authentication, the name must be unique within the whole environment. The name must be in all-uppercase and can contain dots ("."). Often, a DNS-domain style name is being used to guarantee uniqueness, e.g. KERBEROS.SCALIX.COM.
  • <admin server> is your Kerberos KDC's fully-qualified domain name.
  • <admin principal> is a user name for your initial Kerberos KDC admin account. By convention, this is usually of the form <name>/admin, where <name> is a personal identifier for the admin. Kerberos standards recommend against using shared or generic admin accounts. You can create further admin accounts later.
  • <admin password> is the initial password for the admin principal.

Setting up a Windows-based KDC

This is automatically done as soon as you activate Active Directory on a Windows 2000 or 2003 server. No further steps are necessary.

Retrieved from "https://www.scalix.com/wiki/index.php?title=HowTos/Kerberos&oldid=1360"