Planning a Kerberos server
Plan for a Kerberos server based on your operating system.
A Kerberos server or key distribution center (KDC) maintains a
database of principals and their associated passwords. It is composed
of the authentication server and the ticket-granting server. When
a principal logs into a Kerberos network, the authentication server
validates the principal and sends them a ticket-granting ticket. When
planning to use Kerberos authentication, you need to decide what system
you want to configure as a Kerberos server.
Note: The network authentication
service information focuses on Kerberos servers that run in either PASE for i or Windows server. Most scenarios and
examples assume that a Windows server has
been configured as a Kerberos server, unless explicitly mentioned
otherwise. If you are using any of these other operating systems or
third-party applications for Kerberos authentication, see the corresponding
documentation.
The following list provides details on Kerberos
server support on three key operating systems:No matter what operating system provides the Kerberos server, you need to determine the server ports for the Kerberos server, secure access to the Kerberos server, and ensure that time between clients and the Kerberos server are synchronized.
- Determining server ports
- Network authentication service uses port 88 as the default for the Kerberos server. However, other ports can be specified in the configuration files of the Kerberos server. You should verify the port number in the Kerberos configuration files located on the Kerberos server.
- Securing access to the Kerberos server
- The Kerberos server should be located on a secure, dedicated system, to help ensure that the database of principals and passwords is not compromised. Users should have limited access to the Kerberos server. If the system on which the Kerberos server resides is also used for some other purpose, such as a Web server or an FTP server, someone might take advantage of security flaws within these applications and gain access to the database stored on the Kerberos server. For a Kerberos server in Microsoft Active Directory, you can optionally configure a password server that principals can use to manage and update their own passwords stored on the Kerberos server. If you have configured a Kerberos server in PASE for i and you are unable to dedicate the IBM i to Kerberos authentication, you should ensure that only your administrator has access to the Kerberos configuration.
- Synchronizing system times
- Kerberos authentication requires that system time is synchronized. Kerberos rejects any authentication requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos server. Because each ticket is embedded with the time it was sent to a principal, hackers cannot resend the same ticket at a later time to attempt to be authenticated to the network. The IBM i also rejects tickets from a Kerberos server if its clock is not within the maximum clock skew set during network authentication service configuration. The default value is 300 seconds (five minutes) for the maximum clock skew. During network authentication service configuration, the maximum clock skew is set to this default; however, if necessary, you can change this value. It is recommended that this value not be greater than 300 seconds. See Synchronizing system times for details on how to work with system times.
Questions | Answers |
---|---|
On which operating system do you plan to configure
your Kerberos server?
|
IBM Portable Application Solutions Environment for i (PASE) |
What is the fully qualified domain name for the Kerberos server? | systema.myco.com |
Are times between the PCs and systems that connect to the Kerberos server synchronized? What is the maximum clock skew? | Yes, 300 seconds |
Should I install the Network Authentication Enablement (5770-NAE) product? |
Yes, if you plan to configure a Kerberos server in PASE for i on a i 5.4 or later system. |