Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
41424344454647484950
Chapter 3 Open Directory Authentication 45
You needed a suite of Kerberized applications (server and client software). Some of Â
the basics were available but porting them and adapting them to work with your
environment was dicult.
Not all network protocols used for client-server authentication are Kerberos-enabled. Â
Some network protocols still require traditional challenge-response authentication
methods and there is no standard way to integrate Kerberos with these legacy
network authentication methods.
Kerberos client supports failover so if one KDC is oine it can use a replica, but the Â
administrator had to gure out how to set up a Kerberos replica.
Administration tools were never integrated. Tools for creating and editing user Â
accounts in the directory domain didn’t know anything about Kerberos, and the
Kerberos tools knew nothing about user accounts in directories. Setting up a user
record was a site-specic operation based on how the KDC was integrated with the
directory system.
Single Sign-On Experience
Kerberos is a credential or ticket-based system. The user logs in once to the Kerberos
system and is issued a ticket with a life span. During the life span of this ticket the user
doesn’t need to authenticate again to access a Kerberized service.
The user’s Kerberized client software, such as the Mac OS X Mail application, presents
a valid Kerberos ticket to authenticate the user for a Kerberized service. This provides a
single sign-on experience.
A Kerberos ticket is like a press pass to a jazz festival held at multiple nightclubs
over a three-day weekend. You prove your identity once to get the pass. Until the
pass expires, you can show it at any nightclub to get a ticket for a performance. All
participating nightclubs accept your pass without seeing your proof of identity again.
Secure Authentication
The Internet is inherently insecure, yet few authentication protocols provide real
security. Malicious hackers can use readily available software tools to intercept
passwords being sent over a network.
Many applications send passwords unencrypted, and these are ready to use as soon as
theyre intercepted. Even encrypted passwords are not completely safe. Given enough
time and computing power, encrypted passwords can be cracked.
To isolate passwords on your private network you can use a rewall, but this does
not solve all problems. For example, a rewall does not provide security against
disgruntled or malicious insiders.