1@c $Id: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $ 2 3@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top 4@comment node-name, next, previous, up 5@chapter Windows 2000 compatability 6 7Windows 2000 (formerly known as Windows NT 5) from Microsoft implements 8Kerberos 5. Their implementation, however, has some quirks, 9peculiarities, and bugs. This chapter is a short summary of the things 10that we have found out while trying to test Heimdal against Windows 112000. Another big problem with the Kerberos implementation in Windows 122000 is that the available documentation is more focused on getting 13things to work rather than how they work and not that useful in figuring 14out how things really work. 15 16This information should apply to Heimdal @value{VERSION} and Windows 172000 Professional. It's of course subject all the time and mostly consists of 18our not so inspired guesses. Hopefully it's still somewhat useful. 19 20@menu 21* Configuring Windows 2000 to use a Heimdal KDC:: 22* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC:: 23* Create account mappings:: 24* Encryption types:: 25* Authorization data:: 26* Quirks of Windows 2000 KDC:: 27* Useful links when reading about the Windows 2000:: 28@end menu 29 30@node Configuring Windows 2000 to use a Heimdal KDC, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability, Windows 2000 compatability 31@comment node-name, next, precious, up 32@section Configuring Windows 2000 to use a Heimdal KDC 33 34You need the command line program called @code{ksetup.exe} which is available 35in the file @code{SUPPORT/TOOLS/SUPPORT.CAB} on the Windows 2000 Professional 36CD-ROM. This program is used to configure the Kerberos settings on a 37Workstation. 38 39@code{Ksetup} store the domain information under the registry key: 40@code{HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains}. 41 42Use the kadmin program in Heimdal to create a host principal in the 43Kerberos realm. 44 45@example 46unix% kadmin 47kadmin> ank -pw password host/datan.my.domain 48@end example 49 50You must configure the Workstation as a member of a workgroup, as opposed 51to a member in an NT domain, and specify the KDC server of the realm 52as follows: 53@example 54C:> ksetup /setdomain MY.REALM 55C:> ksetup /addkdc MY.REALM kdc.my.domain 56@end example 57 58Set the machine password, i.e. create the local keytab: 59@example 60C:> ksetup /setmachpassword password 61@end example 62 63The workstation must now be rebooted. 64 65A mapping between local NT users and Kerberos principals must be specified, 66you have two choices: 67 68@example 69C:> ksetup /mapuser user@@MY.REALM nt_user 70@end example 71 72This will map a user to a specific principal, this allows you to have 73other usernames in the realm than in your NT user database. (Don't ask 74me why on earth you would want that...) 75 76You can also say: 77@example 78C:> ksetup /mapuser * * 79@end example 80The Windows machine will now map any user to the corresponding principal, 81for example @samp{nisse} to the principal @samp{nisse@@MY.REALM}. 82(This is most likely what you want.) 83 84@node Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Create account mappings, Configuring Windows 2000 to use a Heimdal KDC, Windows 2000 compatability 85@comment node-name, next, precious, up 86@section Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC 87 88See also the Step-by-Step guide from Microsoft, referenced below. 89 90Install Windows 2000, and create a new controller (Active Directory 91Server) for the domain. 92 93By default the trust will be non-transitive. This means that only users 94directly from the trusted domain may authenticate. This can be changed 95to transitive by using the @code{netdom.exe} tool. 96 97You need to tell Windows 2000 on what hosts to find the KDCs for the 98non-Windows realm with @code{ksetup}, see @xref{Configuring Windows 2000 99to use a Heimdal KDC}. 100 101This need to be done on all computers that want enable cross-realm 102login with @code{Mapped Names}. 103 104Then you need to add the inter-realm keys on the Windows kdc. Start the 105Domain Tree Management tool. (Found in Programs, Administrative tools, 106Active Directory Domains and Trusts). 107 108Right click on Properties of your domain, select the Trust tab. Press 109Add on the appropriate trust windows and enter domain name and 110password. When prompted if this is a non-Windows Kerberos realm, press 111OK. 112 113Do not forget to add trusts in both directions. 114 115You also need to add the inter-realm keys to the Heimdal KDC. There are 116some tweaks that you need to do to @file{krb5.conf} beforehand. 117 118@example 119[libdefaults] 120 default_etypes = des-cbc-crc 121 default_etypes_des = des-cbc-crc 122@end example 123 124since otherwise checksum types that are not understood by Windows 2000 125will be generated (@xref{Quirks of Windows 2000 KDC}.). 126 127Another issue is salting. Since Windows 2000 does not seem to 128understand Kerberos 4 salted hashes you might need to turn off anything 129similar to the following if you have it, at least while adding the 130principals that are going to share keys with Windows 2000. 131 132@example 133 [kadmin]default_keys = v5 v4 134@end example 135 136You must also set: 137 138Once that is also done, you can add the required inter-realm keys: 139 140@example 141kadmin add krbtgt/NT.REALM.EXAMPLE.COM@@EXAMPLE.COM 142kadmin add krbtgt/REALM.EXAMPLE.COM@@NT.EXAMPLE.COM 143@end example 144 145Use the same passwords for both keys. 146 147Do not forget to reboot before trying the new realm-trust (after running 148@code{ksetup}). It looks like it might work, but packets are never sent to the 149non-Windows KDC. 150 151@node Create account mappings, Encryption types, Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC, Windows 2000 compatability 152@comment node-name, next, precious, up 153@section Create account mappings 154 155Start the @code{Active Directory Users and Computers} tool. Select the 156View menu, that is in the left corner just below the real menu (or press 157Alt-V), and select Advanced Features. Right click on the user that you 158are going to do a name mapping for and choose Name mapping. 159 160Click on the Kerberos Names tab and add a new principal from the 161non-Windows domain. 162 163@node Encryption types, Authorization data, Create account mappings, Windows 2000 compatability 164@comment node-name, next, previous, up 165@section Encryption types 166 167Windows 2000 supports both the standard DES encryptions (des-cbc-crc and 168des-cbc-md5) and its own proprietary encryption that is based on MD4 and 169rc4 that is documented in and is supposed to be described in 170@file{draft-brezak-win2k-krb-rc4-hmac-03.txt}. New users will get both 171MD4 and DES keys. Users that are converted from a NT4 database, will 172only have MD4 passwords and will need a password change to get a DES 173key. 174 175Heimdal implements both of these encryption types, but since DES is the 176standard and the hmac-code is somewhat newer, it is likely to work better. 177 178@node Authorization data, Quirks of Windows 2000 KDC, Encryption types, Windows 2000 compatability 179@comment node-name, next, previous, up 180@section Authorization data 181 182The Windows 2000 KDC also adds extra authorization data in tickets. 183It is at this point unclear what triggers it to do this. The format of 184this data is only available under a ``secret'' license from Microsoft, 185which prohibits you implementing it. 186 187A simple way of getting hold of the data to be able to understand it 188better is described here. 189 190@enumerate 191@item Find the client example on using the SSPI in the SDK documentation. 192@item Change ``AuthSamp'' in the source code to lowercase. 193@item Build the program. 194@item Add the ``authsamp'' principal with a known password to the 195database. Make sure it has a DES key. 196@item Run @kbd{ktutil add} to add the key for that principal to a 197keytab. 198@item Run @kbd{appl/test/nt_gss_server -p 2000 -s authsamp 199--dump-auth=file} where file is an appropriate file. 200@item It should authenticate and dump for you the authorization data in 201the file. 202@item The tool @kbd{lib/asn1/asn1_print} is somewhat useful for 203analyzing the data. 204@end enumerate 205 206@node Quirks of Windows 2000 KDC, Useful links when reading about the Windows 2000, Authorization data, Windows 2000 compatability 207@comment node-name, next, previous, up 208@section Quirks of Windows 2000 KDC 209 210There are some issues with salts and Windows 2000. Using an empty salt, 211which is the only one that Kerberos 4 supported and is therefore known 212as a Kerberos 4 compatible salt does not work, as far as we can tell 213from out experiments and users reports. Therefore, you have to make 214sure you keep around keys with all the different types of salts that are 215required. 216 217Microsoft seems also to have forgotten to implement the checksum 218algorithms @samp{rsa-md4-des} and @samp{rsa-md5-des}. This can make Name 219mapping (@pxref{Create account mappings}) fail if a @code{des-cbc-md5} key 220is used. To make the KDC return only @code{des-cbc-crc} you must delete 221the @code{des-cbc-md5} key from the kdc using the @code{kadmin 222del_enctype} command. 223 224@example 225kadmin del_enctype lha des-cbc-md5 226@end example 227 228You should also add the following entries to the @file{krb5.conf} file: 229 230@example 231[libdefaults] 232 default_etypes = des-cbc-crc 233 default_etypes_des = des-cbc-crc 234@end example 235 236These configuration options will make sure that no checksums of the 237unsupported types are generated. 238 239@node Useful links when reading about the Windows 2000, , Quirks of Windows 2000 KDC, Windows 2000 compatability 240@comment node-name, next, previous, up 241@section Useful links when reading about the Windows 2000 242 243See also our paper presented at the 2001 usenix Annual Technical 244Conference, available in the proceedings or at 245@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}. 246 247There are lots of text about Kerberos on Microsoft's web site, here is a 248short list of the interesting documents that we have managed to find. 249 250@itemize @bullet 251 252@item Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability - 253@url{http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp} 254Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a 255non-Windows KDC realm, adding unix clients to a Windows 2000 KDC, and 256adding cross-realm trust (@xref{Inter-Realm keys (trust) between Windows 2000 257and a Heimdal KDC}.). 258 259@item Windows 2000 Kerberos Authentication - 260@url{http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp} 261White paper that describes how Kerberos is used in Windows 2000. 262 263@item Overview of kerberos - 264@url{http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP} 265Links to useful other links. 266 267@item Klist for windows - 268@url{http://msdn.microsoft.com/library/periodic/period00/security0500.htm} 269Describes where to get a klist for Windows 2000. 270 271@item Event logging for kerberos - 272@url{http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP}. 273Basicly it say that you can add a registry key 274@code{HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel} 275with value DWORD equal to 1, and then you'll get logging in the Event 276Logger. 277 278@item Access to the active directory through LDAP 279@url{http://msdn.microsoft.com/library/techart/kerberossamp.htm} 280 281@end itemize 282 283Other useful programs include these: 284 285@itemize @bullet 286@item pwdump2 287@url{http://www.webspan.net/~tas/pwdump2/} 288@end itemize 289