HowTos/Kerberos

Introduction

Kerberos can be used as an authentication and network security system for Scalix in a number of areas:

• Single-Server Installations (including Scalix Community Edition and CE Raw)
  • External Authentication source for username/password authentication of Scalix users
  • Single Sign On for domain member PCs running Microsoft Windows and Outlook
  • IMAP authentication for Kerberos-capable clients
• Multi-Server Installations (in addition to the above)
  • Additional network communications security for distributed SAC configurations
  • Cross-Server trust relationships for SWA resource booking

The Kerberos Key Distribution Center (KDC)

For all applications of Kerberos security described above, a Kerberos KDC must be setup. This will act as a central repository for authentication data or - in Kerberos-speak - as a "trusted 3rd party".

In Scalix environments, two types of KDCs are commonly used:

• Linux-based KDC based on the MIT or Heimdal OpenSource Kerberos implementation. Note: If you have the choice, it is recommended to use the MIT implementation; MIT is the inventor of the Kerberos protocol, therefore MIT is the official "reference" implementation of the service. Heimdal was created as a European project, because MIT's software could previously not be used outside the US because of export restrictions around encryption technology involved. Most of these restrictions have been lifted, however.
• Windows-based KDC based on a Windows 2000 or 2003 Server domain controller. This is setup automatically when you configure Active Directory on your Windows server.

Each entity in Kerberos that has a identity on the network is referred to as a principal. Principals can represent users and services; each entity involved in authentication must have it's associated principal, for example if Mr. User wants to use a Scalix IMAP server, two principals are involved - one for Mr. User (a user principal) and one representing the Scalix IMAP server (a server principal).