Planning a Kerberos server

Plan for a Kerberos server based on your operating system.

A Kerberos server or key distribution center (KDC) maintains a database of principals and their associated passwords. It is composed of the authentication server and the ticket-granting server. When a principal logs into a Kerberos network, the authentication server validates the principal and sends them a ticket-granting ticket. When planning to use Kerberos authentication, you need to decide what system you want to configure as a Kerberos server.
Note: The network authentication service information focuses on Kerberos servers that run in either PASE for i or Windows server. Most scenarios and examples assume that a Windows server has been configured as a Kerberos server, unless explicitly mentioned otherwise. If you are using any of these other operating systems or third-party applications for Kerberos authentication, see the corresponding documentation.
The following list provides details on Kerberos server support on three key operating systems:
Microsoft Windows andWindows server
Both Microsoft Windows and Windows server operating systems support Kerberos authentication as their default security mechanism. When administrators add users and services though Microsoft Active Directory, they are in effect creating Kerberos principals for those users and services. If you have a Windows or Windows server in your network, you have a Kerberos server built into those operating systems.
AIX® and PASE for i
Both AIX and PASE for i support a Kerberos server through the kadmin command. Administrators need to enter the PASE environment (by entering call QP2TERM) to configure and manage the PASE Kerberos server. PASE for i provides a run-time environment for AIX applications, such as a Kerberos server. The following documentation can help you configure and manage a Kerberos server in AIX.
  • IBM Network Authentication Service AIX, Linux®, and Solaris Administrator's and User's Guide.
  • IBM Network Authentication Service AIX, Linux, and Solaris Application Development Reference.
    Note: You can find this documentation in the AIX 5L Expansion Pack and Bonus Pack CDLink outside the Information center.
Security Server Network Authentication Service for z/OS is the IBM z/OS program based on Kerberos Version 5. Network Authentication Service for z/OS provides Kerberos security services without requiring that you purchase or use a middleware program. These services support for a native Kerberos server. See z/OS Security Server Network Authentication Service Administration Link to PDF for details on configuring and managing a z/OS Kerberos server.

No matter what operating system provides the Kerberos server, you need to determine the server ports for the Kerberos server, secure access to the Kerberos server, and ensure that time between clients and the Kerberos server are synchronized.

Determining server ports
Network authentication service uses port 88 as the default for the Kerberos server. However, other ports can be specified in the configuration files of the Kerberos server. You should verify the port number in the Kerberos configuration files located on the Kerberos server.
Securing access to the Kerberos server
The Kerberos server should be located on a secure, dedicated system, to help ensure that the database of principals and passwords is not compromised. Users should have limited access to the Kerberos server. If the system on which the Kerberos server resides is also used for some other purpose, such as a Web server or an FTP server, someone might take advantage of security flaws within these applications and gain access to the database stored on the Kerberos server. For a Kerberos server in Microsoft Active Directory, you can optionally configure a password server that principals can use to manage and update their own passwords stored on the Kerberos server. If you have configured a Kerberos server in PASE for i and you are unable to dedicate the IBM i to Kerberos authentication, you should ensure that only your administrator has access to the Kerberos configuration.
Synchronizing system times
Kerberos authentication requires that system time is synchronized. Kerberos rejects any authentication requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos server. Because each ticket is embedded with the time it was sent to a principal, hackers cannot resend the same ticket at a later time to attempt to be authenticated to the network. The IBM i also rejects tickets from a Kerberos server if its clock is not within the maximum clock skew set during network authentication service configuration. The default value is 300 seconds (five minutes) for the maximum clock skew. During network authentication service configuration, the maximum clock skew is set to this default; however, if necessary, you can change this value. It is recommended that this value not be greater than 300 seconds. See Synchronizing system times for details on how to work with system times.
Table 1. Example planning work sheet for Kerberos server. This planning work sheet provides an example of how an administrator planned the Kerberos server for a network.
Questions Answers
On which operating system do you plan to configure your Kerberos server?
  • Windows server
  • AIX Server
  • PASE for i (V5R4, or later)
  • z/OS
IBM Portable Application Solutions Environment for i (PASE)
What is the fully qualified domain name for the Kerberos server?
Are times between the PCs and systems that connect to the Kerberos server synchronized? What is the maximum clock skew? Yes, 300 seconds

Should I install the Network Authentication Enablement (5770-NAE) product?

Yes, if you plan to configure a Kerberos server in PASE for i on a i 5.4 or later system.