1 @c $Id: win2k.texi,v 1.2 2008/03/22 08:37:00 mlelstv Exp $
3 @node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
4 @comment node-name, next, previous, up
5 @chapter Windows 2000 compatability
7 Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
8 Kerberos 5. Their implementation, however, has some quirks,
9 peculiarities, and bugs. This chapter is a short summary of the things
10 that we have found out while trying to test Heimdal against Windows
11 2000. Another big problem with the Kerberos implementation in Windows
12 2000 is that the available documentation is more focused on getting
13 things to work rather than how they work, and not that useful in figuring
14 out how things really work.
16 This information should apply to Heimdal @value{VERSION} and Windows
17 2000 Professional. It's of course subject to change all the time and
18 mostly consists of our not so inspired guesses. Hopefully it's still
22 * Configuring Windows 2000 to use a Heimdal KDC::
23 * Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
24 * Create account mappings::
26 * Authorisation data::
27 * Quirks of Windows 2000 KDC::
28 * Useful links when reading about the Windows 2000::
31 @node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability
32 @comment node-name, next, precious, up
33 @section Configuring Windows 2000 to use a Heimdal KDC
35 You need the command line program called @command{ksetup.exe} which is available
36 in the file @file{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional
37 CD-ROM. This program is used to configure the Kerberos settings on a
40 @command{Ksetup} store the domain information under the registry key:
41 @code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}.
43 Use the @command{kadmin} program in Heimdal to create a host principal in the
48 kadmin> ank --password=password host/datan.example.com
51 The name @samp{datan.example.com} should be replaced with DNS name of
54 You must configure the workstation as a member of a workgroup, as opposed
55 to a member in an NT domain, and specify the KDC server of the realm
58 C:> ksetup /setdomain EXAMPLE.COM
59 C:> ksetup /addkdc EXAMPLE.COM kdc.example.com
62 Set the machine password, i.e.@: create the local keytab:
64 C:> ksetup /SetComputerPassword password
67 The password used in @kbd{ksetup /setmachpassword} must be the same
68 as the password used in the @kbd{kadmin ank} command.
70 The workstation must now be rebooted.
72 A mapping between local NT users and Kerberos principals must be specified.
73 You have two choices. First:
76 C:> ksetup /mapuser user@@MY.REALM nt_user
79 This will map a user to a specific principal; this allows you to have
80 other usernames in the realm than in your NT user database. (Don't ask
81 me why on earth you would want that@enddots{})
85 C:> ksetup /mapuser * *
87 The Windows machine will now map any user to the corresponding principal,
88 for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}.
89 (This is most likely what you want.)
91 @node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability
92 @comment node-name, next, precious, up
93 @section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
95 See also the Step-by-Step guide from Microsoft, referenced below.
97 Install Windows 2000, and create a new controller (Active Directory
98 Server) for the domain.
100 By default the trust will be non-transitive. This means that only users
101 directly from the trusted domain may authenticate. This can be changed
102 to transitive by using the @command{netdom.exe} tool. @command{netdom.exe}
103 can also be used to add the trust between two realms.
105 You need to tell Windows 2000 on what hosts to find the KDCs for the
106 non-Windows realm with @command{ksetup}, see @xref{Configuring Windows 2000
107 to use a Heimdal KDC}.
109 This needs to be done on all computers that want enable cross-realm
110 login with @code{Mapped Names}. @c XXX probably shouldn't be @code
112 Then you need to add the inter-realm keys on the Windows KDC@. Start the
113 Domain Tree Management tool (found in Programs, Administrative tools,
114 Active Directory Domains and Trusts).
116 Right click on Properties of your domain, select the Trust tab. Press
117 Add on the appropriate trust windows and enter domain name and
118 password. When prompted if this is a non-Windows Kerberos realm, press
121 Do not forget to add trusts in both directions (if that's what you want).
123 If you want to use @command{netdom.exe} instead of the Domain Tree
124 Management tool, you do it like this:
127 netdom trust NT.REALM.EXAMPLE.COM /Domain:EXAMPLE.COM /add /realm /passwordt:TrustPassword
130 You also need to add the inter-realm keys to the Heimdal KDC. Make sure
131 you have matching encryption types (DES, Arcfour and AES in case of Longhorn)
133 Another issue is salting. Since Windows 2000 does not seem to
134 understand Kerberos 4 salted hashes you might need to turn off anything
135 similar to the following if you have it, at least while adding the
136 principals that are going to share keys with Windows 2000.
143 So remove v4 from default keys.
145 What you probably want to use is this:
149 default_keys = des-cbc-crc:pw-salt arcfour-hmac-md5:pw-salt
153 @c It is definitely not supported in base 2003. I haven't been able to
154 @c get SP1 installed here, but it is supposed to work in that.
156 Once that is also done, you can add the required inter-realm keys:
159 kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM
160 kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM
163 Use the same passwords for both keys.
165 Do not forget to reboot before trying the new realm-trust (after
166 running @command{ksetup}). It looks like it might work, but packets are
167 never sent to the non-Windows KDC.
169 @node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability
170 @comment node-name, next, precious, up
171 @section Create account mappings
173 Start the @code{Active Directory Users and Computers} tool. Select the
174 View menu, that is in the left corner just below the real menu (or press
175 Alt-V), and select Advanced Features. Right click on the user that you
176 are going to do a name mapping for and choose Name mapping.
178 Click on the Kerberos Names tab and add a new principal from the
181 @c XXX check entry name then I have network again
182 This adds @samp{authorizationNames} entry to the users LDAP entry to
183 the Active Directory LDAP catalog. When you create users by script you
184 can add this entry instead.
186 @node Encryption types, Authorisation data, Create account mappings, Windows 2000 compatability
187 @comment node-name, next, previous, up
188 @section Encryption types
190 Windows 2000 supports both the standard DES encryptions (@samp{des-cbc-crc} and
191 @samp{des-cbc-md5}) and its own proprietary encryption that is based on MD4 and
192 RC4 that is documented in and is supposed to be described in
193 @file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both
194 MD4 and DES keys. Users that are converted from a NT4 database, will
195 only have MD4 passwords and will need a password change to get a DES
198 @node Authorisation data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability
199 @comment node-name, next, previous, up
200 @section Authorisation data
202 The Windows 2000 KDC also adds extra authorisation data in tickets.
203 It is at this point unclear what triggers it to do this. The format of
204 this data is only available under a ``secret'' license from Microsoft,
205 which prohibits you implementing it.
207 A simple way of getting hold of the data to be able to understand it
208 better is described here.
211 @item Find the client example on using the SSPI in the SDK documentation.
212 @item Change ``AuthSamp'' in the source code to lowercase.
213 @item Build the program.
214 @item Add the ``authsamp'' principal with a known password to the
215 database. Make sure it has a DES key.
216 @item Run @kbd{ktutil add} to add the key for that principal to a
218 @item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp
219 @kbd{--dump-auth}=@var{file}} where @var{file} is an appropriate file.
220 @item It should authenticate and dump for you the authorisation data in
222 @item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for
226 @node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorisation data, Windows 2000 compatability
227 @comment node-name, next, previous, up
228 @section Quirks of Windows 2000 KDC
230 There are some issues with salts and Windows 2000. Using an empty salt---which is the only one that Kerberos 4 supported, and is therefore known
231 as a Kerberos 4 compatible salt---does not work, as far as we can tell
232 from out experiments and users' reports. Therefore, you have to make
233 sure you keep around keys with all the different types of salts that are
234 required. Microsoft have fixed this issue post Windows 2003.
236 Microsoft seems also to have forgotten to implement the checksum
237 algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name
238 mapping (@pxref{Create account mappings}) fail if a @samp{des-cbc-md5} key
239 is used. To make the KDC return only @samp{des-cbc-crc} you must delete
240 the @samp{des-cbc-md5} key from the kdc using the @kbd{kadmin
241 del_enctype} command.
244 kadmin del_enctype lha des-cbc-md5
247 You should also add the following entries to the @file{krb5.conf} file:
251 default_etypes = des-cbc-crc
252 default_etypes_des = des-cbc-crc
255 These configuration options will make sure that no checksums of the
256 unsupported types are generated.
258 @node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability
259 @comment node-name, next, previous, up
260 @section Useful links when reading about the Windows 2000
262 See also our paper presented at the 2001 Usenix Annual Technical
263 Conference, available in the proceedings or at
264 @uref{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
266 There are lots of texts about Kerberos on Microsoft's web site, here is a
267 short list of the interesting documents that we have managed to find.
271 @item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
272 @uref{http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx}.
273 Kerberos GSS-API (in Windows-eze SSPI), Windows as a client in a
274 non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and
275 adding cross-realm trust (@pxref{Inter-Realm keys (trust) between Windows 2000
278 @item Windows 2000 Kerberos Authentication:
279 @uref{www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/kerberos.mspx}.
280 White paper that describes how Kerberos is used in Windows 2000.
282 @item Overview of Kerberos:
283 @uref{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP}.
284 Links to useful other links.
286 @c @item Klist for Windows:
287 @c @uref{http://msdn.microsoft.com/library/periodic/period00/security0500.htm}.
288 @c Describes where to get a klist for Windows 2000.
290 @item Event logging for Kerberos:
291 @uref{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}.
292 Basically it say that you can add a registry key
293 @code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel}
294 with value DWORD equal to 1, and then you'll get logging in the Event
297 @c @item Access to the Active Directory through LDAP:
298 @c @uref{http://msdn.microsoft.com/library/techart/kerberossamp.htm}
302 Other useful programs include these:
306 @uref{http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm}@end itemize