February 11, 2000 Web posted at: 8:37 a.m. EST (1337 GMT) by John Fontana

From...

(IDG) -- Enterprise customers hoping to build interoperability between Windows 2000 and their established Kerberos installations are finally beginning to get some help.

Microsoft and other security vendors, such as CyberSafe, are starting to develop technology that could establish interoperability between standard implementations of Kerberos Version 5 in Win 2000 and Unix-based implementations of the authentication protocol. That interoperability could let enterprise customers build large-scale cross-platform Kerberos infrastructures.

Kerberos is a standard security mechanism that makes users prove who they are before they can gain access to network resources. Microsoft is supporting the protocol for the first time in Win 2000, but there have been questions about its interoperability with other Kerberos environments, especially those running on different platforms.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Who dreams of Jini?

Making it standard

Kerberos: Authentication in Windows 2000

IDG.net's network operating systems page

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for network experts

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

"What we're talking about are interoperable security credentials," says Chris Christiansen, an analyst with International Data Corp., a market research firm in Framingham, Mass. "You need to create a bridge to support a heterogeneous environment, and that's something Microsoft doesn't do."

A plan in place

Microsoft and CyberSafe have set out to address that problem. The two are working together to prove that CyberSafe's ActiveTrust software can establish a connection, or trust, between Win 2000 and other Kerberos environments. The trust would allow Windows clients to authenticate to non-Windows servers and non-Windows clients to authenticate to Windows servers.

In addition, ActiveTrust will support a number of clients, including Windows 95 and 98, that cannot otherwise use Kerberos in Win 2000.

The software also has a password synchronization feature administrators can use to create a single sign-on.

While Microsoft and CyberSafe are preaching interoperability, the pair have yet to announce a formal partnership.

Others tackle the problem

But they are not the only companies attacking the issue. Gradient Technologies plans to build interoperability extensions between its NetCrusader DCE Security Server and Win 2000 later this year. Gradient is likely to focus on solving authorization interoperability in addition to authentication because its authorization mechanism within Kerberos is different from Microsoft's.

Gradient would not provide details, but said it would make an announcement a few months after Win 2000 ships Feb. 17, according to Rick Irving, director of the secure server group.

"There is some work to be done in order to allow users to log in to DCE and get access to Microsoft resources," he says.

Gradient and Microsoft use an authorization extension in the Kerberos standard, called the Auth Data field, in a way that is not interoperable.

Gradient, however, uses a publicly available data format in the Auth Data field and Microsoft does not. Last week, Microsoft again said it is finalizing efforts to publish its format. Once the format is public, other vendors can use it to support authorization to Microsoft resources.

Some work completed

However, Microsoft has finalized work on CyberSafe. The two used CyberSafe's ActiveTrust software to create trust relationships between Unix and Win 2000 Kerberos for financial firm Morgan Stanley Dean Witter.

While Dean Witter officials acknowledge they are able to authenticate users between their Unix and Win 2000 environments, enterprise customers are still likely to find interoperability a challenge.

"Wall Street-type companies have done this sort of interoperability but typically under controlled conditions," says John Pescatore, an analyst with Gartner Group. "What may look easy to Dean Witter may not look so easy to others, especially smaller companies."

Enterprise customers are likely to get more interoperability help once Win 2000 ships. Microsoft is rumored to be testing interoperability with others, including Dascom, which was recently bought by IBM, and the Massachusetts Institute of Technology, which developed the Kerberos Version 5 specification.