Kerberos

Description

Kerberos services provide the University standard for network authentication protocol. Kerberos was designed by MIT to provide strong authentication for client/server applications using secret-key (symmetric) cryptography. The service encrypts a short-lived token (called a ticket) with a password that can only be unlocked by the user.

Service is available for dce.psu.edu, fps.psu.edu, and test realms. Kerberos Service Principals are created for use with the Penn State Access Account Kerberos realm either by the online self-service Keytab Generator (keytabgen) or a Kerberos administrator for the purpose of validating Kerberos tickets that have been passed to a computer service (Server Keytabs) or for providing peer-to-peer host authentication and wire transport encryption for NFS (Personal Keytabs).

Benefits

  • University standards for network authentication protocol
  • Strong authentication for client/server applications using secret-key (symmetric) cryptography

Features

Kerberos V (version 5) supports:

  • Single password for all systems: Users only need to remember one
  • Ticket granting tickets: Users can obtain tickets for multiple services without retyping passwords (thus “Single-Sign-On”)
  • Strong encryption to protect both passwords and, optionally, data
  • Session key management: Applications may use the keys for encryption and integrity checking of data transfer
  • Administrative boundary protection: KDC managers don’t depend on the security of all systems to safeguard all other systems; system managers do not need to depend on the security of other Kerberized systems
  • Multiple encryption types, automatically negotiated by the client and KDC
  • Use Direct Trust for authentication (request would be sent to AD Team)

Service Availability and Maintenance

The service is available 24 hours per day, seven days per week.

To keep systems running at peak performance, and to ensure the best possible service, routine testing and maintenance are performed during the daily maintenance window from 5:00 a.m. to 7:00 a.m. EST/EDT. During this time, systems and services may be affected. Unanticipated urgent service issues may require maintenance at other times.

Pricing

There is no charge for this service.

Customers and Users

The service is available to–and is used by–Penn State departments.

Getting Started

IdS runs several Kerberos realms in support of the:

  • Penn State Access Accounts (dce.psu.edu)
  • Friends of Penn State accounts (fops.psu.edu)

Update to Use Replication

The MIT Kerberos V KDCs used at Penn State were updated to change their method for synchronization. Previously, synching between the master and its replicas was accomplished by using a process called propagation. This process would make a full copy of the database and send it to each replica from start to finish. This became very time consuming for large databases, such as those as at Penn State.

A patch, provided by the University of Michigan, was administered in order to implement immediate Kerberos changes; it’s called replication. This means that any Access Account change (password change, lock, add, etc.) is copied individually, making its effect virtually instantaneous and eliminating any delays caused by the former propagation method for daily operations.

Support

Check the Support page for information on Identity Services and IT Service desk support.

Related