Observers skeptical of Win 2000 Kerberos plan

From...

April 25, 2000
Web posted at: 10:04 a.m. EDT (1404 GMT)

by John Fontana

(IDG) -- In an attempt to answer interoperability questions about its implementation of Kerberos security in Windows 2000, Microsoft is finally preparing to reveal a key proprietary data format it has been guarding for nearly two years.

But while IT executives and standards watchers have hoped that Microsoft would publish the data format, they are now concerned about a possible Microsoft plan to license the technology instead of making it freely available. They say that action would continue to needlessly tie Kerberos users to Win 2000.

Kerberos is an Internet Engineering Task Force standard authentication and authorization mechanism. Ideally, a standards-based implementation of Kerberos allows for network or Internetwide authentication and authorization regardless of the network operating system.

But Microsoft's implementation of Kerberos uses proprietary data, called a Privilege Access Certificate (PAC), in its Kerberos "tickets." The result is that tickets generated by third-party Kerberos servers, or Key Distribution Centers (KDC), are not valid to access Windows resources, such as files, applications or network devices, even though the KDCs are built around the same Kerberos Version 5 standard.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Signed and delivered: An introduction to security and authentication

Microsoft at the gates of Hades

Windows 2000 migration made easy

Sign up for a Kerberos and Windows 2000 newsletter

Reviews & in-depth info at IDG.net

E-BusinessWorld

Year 2000 World

Questions about computers? Let IDG.net's editors help you

Subscribe to IDG.net's free daily newsletter for network experts

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

Microsoft has been saying for more than two years that it would publish PAC data as a way to foster interoperability.

Microsoft followed the Kerberos Version 5 specification but used the PAC in the specification's "auth-data field" on the Kerberos ticket to insert Windows Secure ID information that bounds tickets to Windows Access Control Lists.

The Open Group, which develops DCE Kerberos, and the Massachusetts Institute of Technology, which develops a free KDC, also use the auth-data field to provide user ID but freely publish the data format.

Customers want Microsoft to address the restriction.

"Yes, I would like to see this information published, but whether it would help us with interoperability, I really don't know yet," says Al Williams, director of distributed systems services at Pennsylvania State University's Center for Academic Computing. He has more than 200,000 Kerberos user IDs on a Unix-based KDC and is rolling out Win 2000. Williams says he does not want licensing restrictions and he would not consider Microsoft's Kerberos "standards-based" if licenses are required.

"An open model tends to encourage cooperative partnerships. We feel that type of arrangement is better for all involved," Williams says. Microsoft officials would not comment on their plans for publishing the PAC data.

Regardless, some say requiring PAC licenses is a way to keep Kerberos users tied to Microsoft.

"We are happy they are living up to their promise of disclosure [of the PAC]," says Paul Hill, a senior programmer analyst at MIT and a member of Kerberos Version 5 development team. "But we are not really happy that they want everyone to license the technology."

MIT's version of Kerberos is freely available, and Hill says MIT won't license the PAC for its server. "How would we pay for it? Our server is free. Putting PAC support in our server just won't happen," he says.

Microsoft, according to sources, hopes developers use the PAC in their applications, therefore tying them into the Win 2000 KDC. That would force non-Windows KDCs to have a trust relationship with Win 2000 KDCs in order to access those applications.

Microsoft could also allow KDC vendors to license and "clone" the PAC on their KDC without running a Win 2000 KDC, but it is not clear if that will be permitted. That would let users bypass Win 2000 and rely on a Unix KDC. But users running Kerberos and Windows applications - such as SQL, Exchange or Internet Information Server - would still have to pay Microsoft for either Win 2000 or for the PAC data format to support access to those resources from a non-Microsoft KDC.

"Microsoft is using its dominance in the application market to help create a monopoly in the server market," Hill says. He's happy Microsoft is using Kerberos because it improves security across the Internet, but "for anyone who runs a competing KDC, Microsoft has usurped the standard and is destroying interoperability." Analysts say Microsoft is carrying out its unique view of integration.

"This Kerberos tactic is more subtle than usual, but this is the way they promote one technology with another," says Michael Gartenberg, an analyst with the Gartner Group.

Application scarcity mars Win 2000 debut
February 24, 2000
Intel still questions Win 2000 needs
February 23, 2000
A practical guide to buying Windows 2000
February 23, 2000
IDC: Windows 2000 a winner for MS
February 18, 2000
Use Windows 2000, save money?
February 16, 2000

Microsoft at the gates of Hades
(Linuxworld)
Signed and delivered: An introduction to security and authentication
(Javaworld)
Start-up offers open authentication system
(Network World Fusion)
I dream of GINA
(Windows TechEdge)
Kerberos: Authentication in Windows 2000
(Windows TechEdge)
What's the difference between Windows 2000 and Linux?
(Linuxworld)
Windows 2000 migration made easy
(PC World)
Sign up for a Kerberos and Windows 2000 newsletter
(Network World Fusion)

Microsoft: Windows 2000
What is Kerberos?
Kerberos Reference Page

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.