Planning a Kerberos server

The network authentication service information focuses on Kerberos servers that run in either i5/OS^® PASE or Windows^® 2000 server. Most scenarios and examples assume that a Windows 2000 server has been configured as a Kerberos server, unless explicitly mentioned otherwise. If you are using any of these other operating systems or third-party applications for Kerberos authentication, see the corresponding documentation. The following list provides details on Kerberos server support on three key operating systems:

Microsoft^® Windows 2000 and Windows Server 2003

Both Microsoft Windows 2000 and Windows Server 20003 operating systems support Kerberos authentication as their default security mechanism. When administrators add users and services though Microsoft Windows Active Directory, they are in effect creating Kerberos principals for those users and services. If you have a Windows 2000 or 2003 server in your network, you have a Kerberos server built into those operating systems. For information about how Kerberos authentication is used on Microsoft Windows servers, see Windows 2000 Server.

AIX^® and i5/OS PASE

Both AIX and i5/OS PASE support a Kerberos server through the kadmin command. Administrators need to enter the PASE environment (by entering call QP2TERM) to configure and manage the PASE Kerberos server. i5/OS PASE provides a run-time environment for AIX applications, such as a Kerberos server. The following documentation can help you configure and manage a Kerberos server in AIX.

• IBM Network Authentication Service AIX, Linux^®, and Solaris Administrator's and User's Guide.

• IBM Network Authentication Service AIX, Linux, and Solaris Application Development Reference.

  You can find this documentation in the AIX 5L™ Expansion Pack and Bonus Pack CD.

z/OS^®

Security Server Network Authentication Service for z/OS is the IBM^® z/OS program based on Kerberos Version 5. Network Authentication Service for z/OS provides Kerberos security services without requiring that you purchase or use a middleware program. These services support for a native Kerberos server. See z/OS Security Server Network Authentication Service Administration for details on configuring and managing a z/OS Kerberos server.

No matter what operating system provides the Kerberos server, you need to determine the server ports for the Kerberos server, secure access to the Kerberos server, and ensure that time between clients and the Kerberos server are synchronized.

Determining server ports

Network authentication service uses port 88 as the default for the Kerberos server. However, other ports can be specified in the configuration files of the Kerberos server. You should verify the port number in the Kerberos configuration files located on the Kerberos server.

Securing access to the Kerberos server

The Kerberos server should be located on a secure, dedicated system, to help ensure that the database of principals and passwords is not compromised. Users should have limited access to the Kerberos server. If the system on which the Kerberos server resides is also used for some other purpose, such as a Web server or an FTP server, someone might take advantage of security flaws within these applications and gain access to the database stored on the Kerberos server. For a Kerberos server in Microsoft Windows Active Directory, you can optionally configure a password server that principals can use to manage and update their own passwords stored on the Kerberos server. If you have configured a Kerberos server in i5/OS PASE and you are unable to dedicate the System i™ platform to Kerberos authentication, you should ensure that only your administrator has access to the Kerberos configuration.

Synchronizing system times

Kerberos authentication requires that system time is synchronized. Kerberos rejects any authentication requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos server. Because each ticket is embedded with the time it was sent to a principal, hackers cannot resend the same ticket at a later time to attempt to be authenticated to the network. The System i platform also rejects tickets from a Kerberos server if its clock is not within the maximum clock skew set during network authentication service configuration. The default value is 300 seconds (five minutes) for the maximum clock skew. During network authentication service configuration, the maximum clock skew is set to this default; however, if necessary, you can change this value. IBM recommends that this value not be greater than 300 seconds. See Synchronizing system times for details on how to work with system times.