What's Microsoft's big secret about Kerberos?
by John McCormick
My first Patch Panel column was written just as Microsoft Windows 2000 was released. I had been testing Release Candidate 2 and had just enough time to install the shipping version of Win 2000 Professional. A few weeks later, it was reported that Microsoft Corp. had left out some important information about the Kerberos security tool it had pre-announced and that I had described in my column.
I know of no workaround for this problem that wouldn't violate Microsoft's claim
to intellectual property rights.
Kerberos is a widely used standard, and many systems administrators were anticipating using it as an easier way to integrate Windows users with others in enterprise-scale virtual private networks.
But it appears Microsoft quietly decided to alter the way Win 2000 implements Kerberos so that its version works with only Win 2000, not with any of the Massachusetts Institute of Technology Kerberos-compliant systems out there.
I would like to share more details of Microsoft's explanation, which are available at www.microsoft.com/technet/security/kerberos/default.asp
, but Microsoft has made this file a nondisclosure agreement (NDA) document. And because the company has challenged at least one Web site'www.slashdot.com
'that posted information from the document, I'll leave the explanation for the reader to discover.
But, because of the NDA clause, I haven't read past the legal preface to this document. My information comes from other sources, so I can share it.
Kerberos is an Internet Engineering Task Force standard for user authentication. It operates by issuing tickets that let users access system services.
What Microsoft has done is to use a proprietary privilege access certificate (PAC) in its Win 2000 Kerberos tickets, which means they won't work with any other Kerberos implementation, even though they are technically using the standard Kerberos Version 5 specification.
In the auth-data field portion of a Kerberos ticket, Microsoft has placed a secure ID that makes tickets valid only for Windows access control lists.
Other Kerberos implementations also put user identification data in the auth-data field, but most software makers disclose the data format. Microsoft hasn't made its data format publicly available except under the NDA.
I know of no workaround for this problem that wouldn't violate Microsoft's claim to intellectual property rights.
If you don't license the PAC from Microsoft and live with whatever restrictions the company puts on the license, then how do you integrate Win 2000 with existing Unix networks? If you do license the proprietary PAC from Microsoft, then just how open is the Kerberos standard?
Although it once appeared that Microsoft was opening up Windows networks to other systems, it now looks as if the company, with a few minor tweaks of widespread standards, could be taking the same approach to the enterprise network world it has taken in the desktop PC world.
Of course, this may all be a misunderstanding that will blow over in a few days.
But, without agreeing to that NDA, I can't be certain what Microsoft's position is and, of course, if I did agree, then I couldn't say anything here anyway.
Just a guess off the top of my head: Microsoft has gone one better than getting the camel's nose into the Unix tent'it snuck in a three-headed dog instead.
Only time will tell.John McCormick, a computer consultant and free-lance writer, has been working with computers since the early 1960s. E-mail him at firstname.lastname@example.org.