Tom Kemp's Centrify Blog

Microsoft and Kerberos

Friday, February 15, 2008

Back in October of 2007 I blogged about the launch of the Kerberos Consortium and how Centrify was a "Founding Sponsor" of the Kerberos Consortium, joining fellow sponsors and supporters such as industry vendors Google, Sun and Apple in supporting this important initiative. Since then a number of universities and US government agencies (e.g. NASA and the DOD) have joined the Consortium, but probably the biggest news of late is that Microsoft has also signed up as a Founding Sponsor and joined the Consortium's Executive Board.

For me this is significant for a number of reasons, namely

(a) when you have industry giants such as Google, Sun, Apple and Microsoft (representing 95% of all desktops out there and probably over 60% of all servers) involved in this Consortium, there is now consensus that this is the forum to make things happen with respect to the future of Kerberos. As a founding sponsor of the Kerberos Consortium, Centrify is pleased to be able to get a up close "pulse" on the direction of Kerberos, collaborate with these other large vendors regarding interoperability, and help contribute to the future of Kerberos. Centrify is the only vendor that focuses on cross-platform (e.g. 110+ flavors of UNIX, Linux and Mac) authentication leveraging Kerberos to participate in the Kerberos Consortium.

(b) it shows Microsoft's continued and growing desire as of late to work with the open source community and industry consortiums around interoperability, as one of the goals of the Kerberos Consortium is to ensure interoperability and compatibility across vendors. [Side note: I am surprised that the folks at Port25 are not using this as another example of Microsoft's outreach efforts.]

So why does Microsoft even care about Kerberos? Because starting with Windows 2000, Microsoft bundled Kerberos as part of the Windows platform, with Active Directory domain controllers not only supporting LDAP but also playing the part of a Key Distribution Center (KDC). Microsoft implemented its own version of Kerberos but obviously leveraged the innovation that the inventors of Kerberos at MIT created and submitted to the IETF standards body. [For an overview of what Kerberos is, read the first section of my blog entry on the Future of Kerberos.]

Because Kerberos is turned on and utilized by default in the Windows platform, clearly the Windows platform represents a huge chunk of the systems actively running Kerberos, and Microsoft to their credit has probably done the most of any OS vendor to unlock the value of Kerberos (i.e. integrating Kerberos and LDAP into a distributed authentication infrastructure that is the foundation of Active Directory). As we all know there are many out there that like to beat up Microsoft regarding security, but it is ironic that Microsoft by default delivers the added security of Kerberos as part and parcel of the Windows platform while Kerberos is turned off by default in the *nix world.

This adoption of Kerberos by Microsoft led to a market opportunity for Centrify. One of the motivations behind our DirectControl solution is enabling the use of Kerberos in the non-Microsoft world much like Microsoft has provided that capability by default in the Windows platform. We do it by integrating the Windows and non-Windows world together with Kerberos acting as one of the key underlying technology that enables that integration to occur (LDAP is another example). Centrify DirectControl supports strong Kerberos-enabled Active Directory authentication and single sign-on for over 110 operating system versions of Linux, UNIX and Mac OS X systems. Centrify DirectControl effectively turns a non-Microsoft server, workstation or device into an Active Directory client, enabling an organization to secure that system using the same authentication, access control and Group Policy services currently deployed for its Windows systems.

DirectControl also enables Kerberos-based authentication to the most popular J2EE and web application servers including Apache, JBoss/Tomcat, BEA WebLogic and IBM WebSphere. In addition, databases such as Oracle and IBM DB2 as well as enterprise applications such as SAP can take advantage of the Kerberos-based Active Directory integration provided by Centrify leveraging the GSSAPI interface to provide end users with strong single sign-on authentication. Finally, as a convenience for customers, Centrify has a resource center where customers can download precompiled binaries and documentation for a number of popular Open Source applications such as OpenSSH, PuTTY and telnet that have been Kerberos-enabled by Centrify to work seamlessly with Active Directory.

It is great to see that this three-headed dog is barking quite nicely with strong support from vendors such as Microsoft, Google, Apple and Sun as well as innovative up-and-coming vendors such as Centrify.

< Previous Article: Centrify Wins Best Identity Management Software Award
> Next Article: Group Policy for UNIX, Linux and the Mac