December 19, 2000, 11:30 AM — Despite implementing standards-based Kerberos authentication in Windows 2000, Microsoft is facing interoperability difficulties with other standard Kerberos systems. But the company says it is now working diligently behind the scenes to solve the problems.
The issues center on security "tickets," known as Key Distribution Centers (KDC), that are generated by Kerberos servers. Microsoft's KDC, which is tied to Active Directory and bolted into Windows 2000, adds proprietary data to the ticket. The result is that tickets generated by third-party KDCs are not able to access Windows resources and vice versa, even though the KDCs are built around the same IETF Kerberos v5 specification.
Users of existing Kerberos systems could face a painful forklift migration to Windows 2000, or be forced to absorb the administrative burden of maintaining synchronization between disparate systems in the future.
"Microsoft is not doing anything to further the use of Windows 2000 in mission-critical environments," says Eric Hemmindinger, an analyst with Aberdeen Group in Boston. "The company has some major implementation issues, and it's making users go out and solve the problems."
KDCs act as trusted third-parties, providing security tickets that clients and servers can exchange using secret-key cryptography to prove their identities and establish encrypted communication. Ideally, KDCs maintain trust relationships and create a single sign-on to access resources regardless of what network operating system is being used. Most KDCs can authenticate to each other, but fail when trying to authorize use of network applications or services.
Microsoft is guarding its proprietary authorization ticket for now and binding users to its KDC. The default authentication for Windows 2000 is Kerberos, and that is likely to revive interest in the standard. Kerberos is popular in the financial, insurance and telecom industries and with multinational corporations.
"It would be nice to get the Windows 2000 server to play in the Kerberos environment," says Al Williams, director of distributed systems services at Pennsylvania State University's Center for Academic Computing. He has more than 200,000 Kerberos user IDs on a Unix KDC based on Distributed Computing Environment (DCE), which Williams says he won't move to Windows 2000.
"In essence, Microsoft wants us to convert our Unix KDC to a Windows 2000 KDC," Williams says. Williams cannot authenticate users using the Unix KDC and authorize the use of Windows 2000 resources. His only alternative is to use a Microsoft tool to mirror his Unix-based user IDs against Windows user IDs. He has already rewritten code on NT Workstations so they can authenticate against his KDC.