Windows 2000 Kerberos Authentication
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Glossary.Pdf
Glossary Note: Terms in italics are described in their own glossary entries. 3DES. See Data Encryption Standard. A A RR. Type identifier for a DNS Address resource record. Active Directory (AD). The directory service for Windows 2000. A hierarchical, object-oriented database that stores distributed data for Windows 2000 domains, trees, and forests. Active Directory-integrated zones. DNS zones for which zone data are stored in Active Directory. All copies of an Active Directory-integrated zone are peers and can accept changes to the zone. Zone data are replicated through Active Directory. Zone transfers are required only when importing data from a primary zone or exporting data to a secondary zone. AD. Abbreviation for Active Directory. address class. See IP address class. address resolution protocol (ARP). A protocol used by IP to discover the hardware address of the device to which a datagram is being sent. Address resource record. A DNS resource record that maps a FQDN to an IP address. Referred to as Host resource records when administering Windows 2000 DNS. Referred to as Host Address resource records in this book. AH. See authentication header. ARP. See address resolution protocol. asymmetric cryptography. A cryptography method that uses one key for encryption and another key for decryption. Also called public key cryptography. attribute. A characteristic of an object in an object- oriented database such as Active Directory; often called a property in Windows 2000. authentication. The ability of one entity to reliably determine the identity of another entity. authentication header (AH). A security protocol used by IPSec that provides authentication and message integrity. -
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Common Criteria Evaluation and Validation Scheme Validation Report Nexor MMHS Security Report Number: CCEVS-VR-05-0095 Dated: 14 March 2005 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 Nexor MMHS Security Validation Report ACKNOWLEDGEMENTS Validation Team Dr. Jerome Myers The Aerospace Corporation Columbia, Maryland Common Criteria Testing Laboratory Science Applications International Corporation Common Criteria Testing Laboratory 7125 Columbia Gateway Drive, Suite 300 Columbia, Maryland 21046 2 Nexor MMHS Security Validation Report Table of Contents 1 EXECUTIVE SUMMARY____________________________________________ 4 2 Identification ______________________________________________________ 5 3 Security Policy _____________________________________________________ 7 3.1 Communications Policy _______________________________________________ 7 3.2 User Data Protection Policy ____________________________________________ 7 3.3 Identification and Authentication Policy _________________________________ 8 3.4 Management Policy___________________________________________________ 8 4 Assumptions and Clarification of Scope_________________________________ 9 4.1 Usage Assumptions ___________________________________________________ 9 4.2 Clarification of Scope _________________________________________________ -
Centralised Authentication
Centralised Authentication Fabian Alenius Guerreiro Jo~ao Uwe Bauknecht March 3, 2009 Contents 1 Introduction 2 2 LDAP 3 2.1 History of LDAP . 3 2.2 Directory servers . 3 2.3 Distinguished Names . 3 2.4 Directory Information Trees . 3 2.5 LDAP Authentication . 4 2.6 SASL binding . 4 3 Authentication Methods [5] 5 3.1 Kerberos . 5 3.1.1 Protocol draft 1.0 . 5 3.1.2 Analysis of Protocol draft 1.0 . 6 3.1.3 Protocol draft 2.0 . 6 3.1.4 Analysis of Protocol draft 2.0 . 7 3.1.5 Kerberos Version 4 . 7 3.1.6 Kerberos Conclusion . 8 3.2 X.509 certificates . 8 4 RADIUS 9 4.1 Introduction . 9 4.2 Functionality . 9 4.2.1 Authentication and Authorization . 9 4.2.2 Accounting . 10 4.2.3 Realms and Proxies . 10 4.3 Usage . 10 References 11 1 1 Introduction When a user wants to login to a computer system he has to go through the process of authentication. If the same user wants to authenticate against two computer systems he needs to authenticate twice. This becomes unpractical very fast as the number of systems grow, especially if the user has to remember separate usernames and passwords for each system. Another problem with this is that the management of the user accounts becomes complicated as we need several user accounts for each user. So, if we for example want to remove one user completely, we need to update all our systems. The solution to this problem is to use a centralized authentication server. -
Leveraging the Kerberos Credential Caching Mechanism for Faster Re-Authentications in Wireless Access Networks
UBICOMM 2010 : The Fourth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies EAP-Kerberos: Leveraging the Kerberos Credential Caching Mechanism for Faster Re-authentications in Wireless Access Networks Saber Zrelli Yoichi Shinoda Nobuo Okabe Center for Information Science Corporate R&D Headquarters Japan Advanced Institute of Science and Technology Yokogawa Electric Corporation Ishikawa, Japan Tokyo, Japan [email protected] saber.zrelli,[email protected] Abstract—Although the wireless technology nowadays provides support cross-domain authentication that enables an access satisfying bandwidth and higher speeds, it still lacks improve- network to authenticate a roaming client that belongs to a ments with regard to handoff performance. Existing solutions remote domain. The cross-domain authentication requires for reducing handoff delays are specific to a particular network technology or require expensive upgrades of the whole infras- message exchange between the AAA server of the visited tructure. In this paper, we investigate performance benefits of network and the AAA server of the roaming station’s home leveraging the Kerberos ticket cashing mechanism for achieving network. Because these inter-domain exchanges occur over the faster re-authentications in IEEE 802.11 wireless access networks. Internet, they are subject to degradations such as packet loss For this purpose, we designed a new EAP authentication method, and network delays which increases the overall authentication EAP-Kerberos, and evaluated re-authentication performance in different scenarios. time. When a roaming station changes of access point, the same authentication procedure takes place again, disrupting Keywords-Wireless; Authentication; Handoff; Performance the user traffic at each handoff. I. -
A Kerberos-Based Authentication Architecture for Wireless Lans
A Kerberos-Based Authentication Architecture for Wireless LANs Mohamed Ali Kaafar1, Lamia Benazzouz1, Farouk Kamoun1, and Davor Males2 1 Ecole Nationale des Seiences de l'lnformatique, Universitt~ de la Manouba. Tunisia {Medali.kaafar, Lamia.benazzouz, Farouk.kamoun}@ensi.rnu.tn 2 Laboratoire d'lnformatique de Paris 6 Universite Pierreet Marie Curie 8, rue du capitaine Scott 75015 Paris. France [email protected] Abstract. This work addresses the issues re1ated to authentication in wireless LAN environments, with emphasis on the IEEE 802.11 standard. lt proposes an authentication architecture for Wireless networks. This architecture called Wireless Kerberos (W-Kerberos), is based on the Kerberos authentication server and the IEEE 802.1X-EAP mode1, in order to satisfy both security and mobility needs. lt then, provides a mean of protecting the network, assuring mutual authentication, thwarts cryptographic attack risks via a key refreshment mechanism and manages fast and secure Handovers between access points. 1 Introduction Over recent years, wire1ess communication has enjoyed enormous growth, becoming popular in botb public and private sectors. Wireless Local Area Network (WLAN) technology is capable of offering instant, high-speed and mobile connectivity. While this technology offers a Iot of advantages, it does also introduce issues related to authentication, access control, confidentiality and data integrity. Today, wireless products are being developed that do not address all of the security services related to this technology. Although the IEEE 802.lli framework is proposing a "Robust Security Nework" architecture (RSN) to deal with the security wireless networks limitations, actually there is not a complete set of standards available that solves all the issues related to Wireless security [1]. -
1. Privacy and Security 1.1. User Identity Authentication
VA Enterprise Design Patterns: 1. Privacy and Security 1.1. User Identity Authentication Office of Technology Strategies (TS) Architecture, Strategy, and Design (ASD) Office of Information and Technology (OI&T) Version 2.0 Date Issued: March 2016 THIS PAGE INTENTIONALLY LEFT BLANK FOR PRINTING PURPOSES APPROVAL COORDINATION ___________________________________________ Rodney Emery Director, Technology Strategies and GEAC, ASD ASD Technology Strategies ___________________________________________ Paul A. Tibbits, M.D. DCIO Architecture, Strategy, and Design REVISION HISTORY Version Date Organization Notes Initial Draft/Outline of the update to the Internal and External User Identity Authentication Design Patterns issued for stakeholder review. Combined Internal and External Authentication 1.5 February 2016 ASD TS Design Plan documents and updated the name. Changed format to provide future state relevant to all authentication, internal and then external. Added IAM Infrastructure Integrity Risk Assessment and Recommended Actions. Includes the additional updates: Added overview diagram. Updated As-Is state for SSOe and use of MVI. Updated Internal and External current state diagrams. Clarified goal of IAM to provide a single source to access all identities and attributes in use across VA. Added requirement to create LOA Assessment 1.7 March 2016 ASD TS Examples specific to VA for every level and provided draft example. Updated Direct Client Authentication using PKI over TLS to be a temporary solution until SSOi supports LOA 4. Updated Use Cases. Updated scope to specify exclusion of Compliance Audit and Reporting (CAR), VA Credential Service Provider (CSP), electronic signature (eSig) and identity proofing (IP). REVISION HISTORY APPROVALS Version Date Approver Role 2.0 3/10/2016 Joseph Brooks Privacy and Security Design Pattern Lead TABLE OF CONTENTS TABLE OF CONTENTS .............................................................................................................................................. -
Extending Oauth2.0 for Kerberos-Like Authentication to Avoid Internet Phishing Attacks
Anoop Vijayan Extending OAuth2.0 for Kerberos-like authentication to avoid Internet phishing attacks Master thesis in Mobile Technology and Business Faculty of Information Technology University of Jyvaskyla Department of Computer Science and Information Systems Author: Anoop Vijayan Contact Information: [email protected] Supervisor(s): Timo Hamäläinen Department of Computer Science and Information Systems University of Jyvaskyla Reviewer(s): Timo Hamäläinen Department of Computer Science and Information Systems University of Jyvaskyla Title: Extending OAuth2.0 for Kerberos-like authentication to avoid Internet phishing attacks Project: Master thesis in Mobile Technology and Business Page count: 72 I ABSTRACT The combined use of OpenID and OAuth for authentication and authorization is gaining popularity day by day in Internet. Because of its simplicity to understand, use and robustness, they are used in many domains in web, especially where the apps and user base are huge like social networking. Also it reduces the burden of typing the password every time for authentication and authorization especially in hand-held gadgets. After a simple problem scenario discussion, it is clear that the OpenID+OAuth combination has some drawbacks from the authentication perspective. The two major problems discussed here include problems caused due to transfer of user credentials over Internet and complexity in setting up of two protocols separately for authentication and authorization. Both the problems are addressed by extending OAuth2.0. By using Kerberos-like authentication, the user has the possibility of not passing the credentials over Internet. It is worth to note that, OAuth2.0 also uses some kind of tokens for authorizations similar to Kerberos. -
MS-ADSO]: Active Directory System Overview
[MS-ADSO]: Active Directory System Overview Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL’s, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected]. Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. -
IBM Tivoli Monitoring: Active Directory Agent: User™S Guide
® Tivoli Monitoring: Active Directory Agent Version 6.2.0 User’s Guide SC32-9444-01 ® Tivoli Monitoring: Active Directory Agent Version 6.2.0 User’s Guide SC32-9444-01 Note Before using this information and the product it supports, read the information in “Notices” on page 121. This edition applies to version 6.2 of IBM Tivoli Monitoring: Active Directory Agent (product number 5724-C71) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2005, 2007. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. © Copyright International Business Machines Corporation 2007. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Tables . .v Chapter 5. Attributes reference . .21 About attributes . .21 Chapter 1. Overview of the Monitoring More information about attributes . .21 Attribute groups and attributes for the Monitoring Agent for Active Directory . .1 Agent for Active Directory . .21 IBM Tivoli Monitoring overview . .1 Address Book attributes . .22 Features of the Monitoring Agent for Active DHCP attributes . .23 Directory . .1 Directory Services attributes . .24 New in this release . .2 DNS_ADIntegrated attributes . .26 Monitoring Agent for Active Directory components .3 DNS attributes . .27 User interface options . .3 Domain Controller Availability attributes . .29 Domain Controller Performance attributes . .31 Chapter 2. Requirements for the Exchange Directory Services attributes . .32 monitoring agent . .5 File Replication Service attributes . .33 Running as a non-Administrator user . .7 Group Policy Object attributes . .34 Ping variables . -
Active Directory Replication Model Works - Directory Services: Windows
How the Active Directory Replication Model Works - Directory Services: Windows ... Pagina 1 di 25 How the Active Directory Replication Model Works In this section Active Directory Replication Model Architecture Active Directory Replication Model Physical Structure Active Directory Data Updates Domain Controller Notification of Changes Identifying and Locating Replication Partners Urgent Replication Network Ports Used by Active Directory Replication Related Information Active Directory data takes the form of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. The values of the attributes define the object, and a change to a value of an attribute must be transferred from the domain controller on which it occurs to every other domain controller that stores a replica of that object. Thus, Active Directory replicates directory data updates at the attribute level. In addition, updates from the same directory partition are replicated as a unit to the corresponding replica on the destination domain controller over the same connection to optimize network usage. The information in this section applies to organizations that are designing, deploying, or operating an Active Directory infrastructure that satisfies the following requirements: A Domain Name System (DNS) infrastructure is in place that manages the name resolution for domain controllers in the forest. Active Directory-integrated DNS is assumed, wherein DNS zone data is stored in Active Directory and is replicated to all domain controllers that are DNS servers. All Active Directory sites have local area network (LAN) connectivity. IP connectivity is available between all datacenter locations and branch sites. -
Secure Fast Handover in an Open Broadband Access Network Using Kerberos-Style Tickets
Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets Martin Gilje Jaatun1, Inger Anne T¿ndel1, Fr¶ed¶ericPaint2, Tor Hjalmar Johannessen2, John Charles Francis3, and Claire Duranton4 1 SINTEF ICT, Trondheim, Norway 2 Telenor R&D, Fornebu, Norway 3 Swisscom Innovations, Bern, Switzerland 4 France Telecom R&D, Issy-les-Moulineaux, France [email protected] Abstract. In an Open Broadband Access Network consisting of multi- ple Internet Service Providers, delay due to multi-hop processing of au- thentication credentials is a major obstacle to fast handover between ac- cess points, e®ectively preventing delay-sensitive interactive applications such as Voice over IP. By exploiting existing trust relationships between service providers and access points, it is possible to pre-authenticate a mobile terminal to an access point, creating a Kerberos-style ticket that can be evaluated locally. The terminal can thus perform a handover and be authenticated to the new access point, without incurring communi- cation and processing delays by involving other servers. 1 Introduction The Open Broadband Access Network (OBAN) [1] seeks to utilise excess ca- pacity available in residential broadband connections, by opening up private wireless access points to passers-by. It is intended as a multi-ISP network, where a roaming OBAN user may consume mobile IP services from residential wireless access points regardless of whether or not he has a contract with the same ISP as the residential user. In addition to serving as a lower-cost, higher-bandwidth alternative to services such as UMTS [2] or WiMAX [3], OBAN also intends to incorporate multi-lateral roaming agreements [4] towards such services, in e®ect creating a ubiquitous, world-wide network. -
A New a Kerberos Model
Volume 2, Issue 3, March 2012 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com 3 A NEW A KERBEROS MODEL Aditya Harbola* Deepti Negi Deepak Harbola School of computing School of computing Department of computer science Graphic Era University, Graphic Era University, BCTKEC, Dehradun, UK Dehradun, UK Dwarahat, UK [email protected] [email protected] [email protected] Abstract – An internet service provider (ISPs) offers easy access to the network to meet the ever growing demand for business. The authenticated subscribers must be verified for access authorization and for cost recovery, billing and resource planning purpose. For all business services coordination between the various administrative system’s are required. This paper presents a new AAA Kerberos protocol for distributed systems. Traditional Kerberos authentication schemes do not meet distributed system requirements of authorization, failsafe operation, accounting of service usage and resilience to loss of connectivity. Our new AAA Kerberos protocol model meets the requirements of authentication, authorization and accounting. Keywords - Authentication, authorization, accounting, key management, control systems. INTRODUCTION end user's resource consumption, which can then be processed for billing, auditing, and capacity-planning purposes. A network is full of challenges and meeting these One of the requirements of AAA framework is a good challenges in a simplified and scalable manner lies at the heart price-to-performance ratio offering high-volume disk storage of authentication, authorization, and accounting. AAA and optimized database administration. A single AAA server essentially defines a framework for coordinating the challenges can act as a centralized administrative control point for multiple across multiple network technologies and platforms.