Interoperability issues bite Win 2000 Kerberos scheme
Despite implementing standards-based Kerberos authentication in Windows 2000, Microsoft is facing interoperability difficulties with other standard Kerberos systems. But the company says it is now working diligently behind the scenes to solve the problems.
The issues center on security "tickets," known as Key Distribution Centers (KDC), that are generated by Kerberos servers. Microsoft's KDC, which is tied to Active Directory and bolted into Windows 2000, adds proprietary data to the ticket. The result is that tickets generated by third-party KDCs are not able to access Windows resources and vice versa, even though the KDCs are built around the same IETF Kerberos v5 specification.
Users of existing Kerberos systems could face a painful forklift migration to Windows 2000, or be forced to absorb the administrative burden of maintaining synchronization between disparate systems in the future.
"Microsoft is not doing anything to further the use of Windows 2000 in mission-critical environments," says Eric Hemmindinger, an analyst with Aberdeen Group in Boston. "The company has some major implementation issues, and it's making users go out and solve the problems."
KDCs act as trusted third-parties, providing security tickets that clients and servers can exchange using secret-key cryptography to prove their identities and establish encrypted communication. Ideally, KDCs maintain trust relationships and create a single sign-on to access resources regardless of what network operating system is being used. Most KDCs can authenticate to each other, but fail when trying to authorize use of network applications or services.
Microsoft is guarding its proprietary authorization ticket for now and binding users to its KDC. The default authentication for Windows 2000 is Kerberos, and that is likely to revive interest in the standard. Kerberos is popular in the financial, insurance and telecom industries and with multinational corporations.
"It would be nice to get the Windows 2000 server to play in the Kerberos environment," says Al Williams, director of distributed systems services at Pennsylvania State University's Center for Academic Computing. He has more than 200,000 Kerberos user IDs on a Unix KDC based on Distributed Computing Environment (DCE), which Williams says he won't move to Windows 2000.
"In essence, Microsoft wants us to convert our Unix KDC to a Windows 2000 KDC," Williams says. Williams cannot authenticate users using the Unix KDC and authorize the use of Windows 2000 resources. His only alternative is to use a Microsoft tool to mirror his Unix-based user IDs against Windows user IDs. He has already rewritten code on NT Workstations so they can authenticate against his KDC.
Microsoft says it understands the issues and will provide answers in the coming months so large customers can protect their investments. But critics say Microsoft has consumed yet another standard and extended it to snare users.
"Microsoft is not pushing Kerberos as much as it's pushing its Windows authentication scheme that looks and smells like Kerberos," says Jeff Schiller, security area director at the Internet Engineering Task Force.
Microsoft did follow the IETF's Kerberos v5 specification as written, but used an authorization mechanism, the so-called auth-data field, on the Kerberos ticket to insert Windows Secure ID information that binds the ticket to Windows Access Control Lists.
"The problem is that the data is specific to Windows and only valid in Windows," ssays Dan House, senior technical engineer at IBM. "Ideally, there would be a system that creates a common user ID. The IETF left the auth-data field open to vendor interpretation, a move it now regrets and is working to correct."
The Open Group, which developed DCE Kerberos, and the Massachusetts Institute of Technology also use the auth-data field to provide user ID, but they publish the data format so other vendors can support it.
Microsoft so far hasn't done that. "Microsoft refuses to release that documentation," says Paul Hill, a senior MIT programmer analyst and a member of the Kerberos v5 development team. "Our definition of interoperability takes into account client/server. Microsoft at the client level says, 'You need our server.' "
Microsoft says the data format is forthcoming. "We'll publish the documentation when it's finalized and we ship the product," says Shanen Boettcher, product manager for Windows 2000. "We definitely want to support user accounts in different KDCs. That is the goal."
Microsoft is working with CyberSpace, according to officials at CyberSpace. CyberSpace develops a sort of middleware called TrustBroker, which links Kerberos deployments. "Microsoft has come to us and asked for help on its interoperability story," says Matt Hur, director of the advanced technology group at CyberSpace. "We can broker common authentication across platforms regardless of user ID and help form trust relationships between different Kerberos realms."
The approach is similar to the one Microsoft used with technology it acquired two months ago from Zoomit to help synchronize Active Directory with other directories, after users complained of being locked into the Windows environment.