Just the Ticket! - Internet/Web/Online Service Information

Internet security is so important that the Internet Architecture Board, the elite cabal of networking engineers who control the Internet standards process, recently moved to ensure that every action, every protocol and every decision addresses security. In a related development, Microsoft has moved to adopt industry standards for security rather than invent its own. Later this year, the transition will be complete: You'll be using an Internet standard security technology for distributed security in Windows NT domains. Get ready for Kerberos.

In today's Windows NT domains, the primary platform for distributed security is NT LAN Manager (NTLM). NTLM is a mature technology that provides reliable security for a single domain. Among its features is the ability to provide authentication, privacy and access control. While it works well inside pure Windows NT environments, it isn't as capable in mixed networks, for instance, UNIX-based data warehouses serving up views to distributed workstations. Also, many managers find that the domain model is hard to use when they need to establish relationships of trust between workgroups and teams.

Rather than continue to develop NTLM and attempt to adapt it to new environments, Microsoft has decided to relegate the protocol to legacy status and move to an established, Internet-standard distributed security solution: Kerberos.

Kerberos is an authentication and authorization protocol originally designed at MIT. Developed for MIT's Project Athena in the 1980s, Kerberos is built from a single, simple premise. For each organization, there exists one extremely secure computer, perhaps residing in a locked room under 24-hour guard, which contains all the password information and access privileges for all the users on a network. Every other computer in the network trusts the information and authentication provided by this server -- hence, the term trusted server.

When a user wants to gain access to a secure service on the network, he or he logs into the trusted Kerberos access server. Once the user is successfully logged in, the server returns a ticket-granting ticket (TGT). The TGT acts as a passport to the services secured by the Kerberos server. The client can subsequently hand the TGT, along with a request to access a known file service or application, back to the Kerberos server without having to log into the system again. If the Kerberos server finds that the TGT is valid, it passes a new ticket for the requested service back to the client. This new ticket, specific to the requested service, is then used by the application server to validate the user's identity. Tickets are cached at clients so that requesting access to a service on subsequent attempts does not require further intervention on the part of the Kerberos server.

When Microsoft finally ships Windows NT V5.0 kit will come with a native implementation of Kerberos. According to Microsoft, its Kerberos implementation is an iteration of version 5.0 of standard Kerberos. Each Windows NT domain will have its own Kerberos server. While Windows NT will continue to support NTLM for pass-through network authentication, remote file access and authenticated remote procedure call connections to earlier versions of Windows NT, Kerberos will become the primary security protocol for access to resources within or across Windows NT domains. Rather than having a single computer responsible for all security, Windows NT implements a Kerberos security engine as the authentication service on each domain controller.

Providing authentication for individual domains is necessary, but what is really needed is a single entry point to heterogeneous networks. Surely using an Internet protocol for distributed security ought to make managing access to services on a variety of platforms more efficient. Actually, interoperability among systems in a Kerberos administered network is quite complicated.

Unfortunately, clients that obtain initial tickets from trusted Kerberos servers on non-Windows NT-based systems will be forced to use the Kerberos referral mechanism to request a session ticket from the separate Kerberos server in the Windows NT service domain.

Even so, there's no guarantee that the new ticket will contain enough information to allow the user to be authorized to use the Windows NT service. This is because, while the format of the Kerberos tickets is well-defined, the actual contents of the tickets are application-dependent.

While interoperability is still problem, using the Internet-standard Kerberos will provide many windows NT managers with a better authentication tool. Kerberos is faster and more flexible than NTLM and promises interoperability with other computing platforms in the future. In addition, Windows NT network specialists will find that establishing security relationships in networks with several tiers of services is much easier under Kerberos than with NTLM.

Managers will find that the next generation of Windows NT supports a variety of authentication strategies: NTLM for backward compatibility, Kerberos for high-performance production-quality authentication, and public-key technologies for authentication of users outside an organization's domain. The adoption of an established, Internet-standard authentication protocol will come as a welcome relief to managers used to the mountain of proprietary protocols of the past.

Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at mcfadden@cix.org.

COPYRIGHT 1997 101 Communications, Inc.
COPYRIGHT 2004 Gale Group