Application Note

Using Hummingbird Host Explorer with DirectControl

Published: October 4, 2005

DirectControl integrates Unix systems into Active Directory to enable centralized management of user authentication and authorization. Most users will have already authenticated to their Windows workstation and need to access the Unix system remotely over the Enterprise network. One of the benefits of using Active Directory and DirectControl is the ability to leverage the built-in Kerberos infrastructure to securely authenticate a user from one computer to the next as they need to access resources without requiring the user to re-submit authentication credentials.

Host Explorer from Hummingbird provides support for Kerberos security through the addition of Hummingbird Connectivity Secure Shell, which provides the Kerberos support to enable Windows users to use Host Explorer to seamlessly and securely access remote Unix systems that have been integrated into Active Directory with DirectControl and that are running Kerberized telnet servers. The following instructions will guide you through configuring and connecting to a Unix computer using Host Explorer from a Windows computer.

Contents

Unix Computer Requirements

DirectControl needs to be installed and joined into an Active Directory Domain on the Unix computer that you will be connecting to. Additionally, you need to ensure that you have a kerberized telnet server running on the Unix system.

Centrify has made a Kerberos Tools package available that includes a kerberized telnet daemon which is linked with the DirectControl Kerberos environment to properly authenticate Active Directory users. Please see the Centrify Resource Center for more information on installing the Kerberos Tools.

^ back to contents

Hummingbird Host Explorer 10 Configuration

Hummingbird Host Explorer 10 can be configured to support kerberized connections from Windows to other computers which are properly configured to accept Kerberized telnet connections. You will need to install Hummingbird Secure Shell or Connectivity Kerberos in order to enable Host Explorer to establish secured connections seamlessly to Unix hosts integrated with Active Directory through DirectControl.

The Hummingbird Kerberos solution does need to be configured properly in order to work with the Active Directory Kerberos infrastructure that DirectControl leverages for seamless and secured user authentication. The following steps are required to enable the usage of Kerberos for single sign-on.

The Windows XP workstation first needs to be configured to allow session keys to be sent in the Kerberos ticket-granting ticket.

  • To do this, the local administrator needs to edit the registry of the Windows computer and edit the following entry:
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
    Lsa\Kerberos\Parameters

  • Add a new DWORD Value as follows:
  • Name: AllowTGTSessionKey
    Value: 1

  • You will need to reboot the workstation before proceeding.
  • Next, remove the default encryption types defined in the Hummingbird krb5.ini file found in the directory c:\Documents and Settings\All Users\Application Data\Hummingbird\Connectivity\10.00\Security\Kerberos. Remove the following 2 lines under libdefaults.
  • default_tgs_enctypes = des-cbc-crc
    default_tkt_enctypes = des-cbc-crc

  • Finally, you need to configure the Connectivity Kerberos application found in the Security folder under the Hummingbird Connectivity 10 Start Menu item. From the menu select Options, then Kerberos Properties.
  • Click the Realm/Server Mapping tab.
  • Make sure there is a check in the box next to Use DNS KDC Lookup.

Hummingbird is now configured properly to support Active Directory Kerberos ticket to automate the user's login to the Unix computer running DirectControl. Next, we simply need to start a kerberized telnet session to the host.

^ back to contents

Connecting to a Remote System

The following instructions will show the options to select for a Kerberized telnet connection to a Unix host.

  • Launch the VT client from the HostExplorer folder in the Hummingbird Connectivity 10 start menu, then right click in the Open Session dialog to create a New Profile and give it a name such as Kerberized Telnet. Be sure to select the Profile Type of VT Display and Connect By: Telnet, then type in the name of the remote computer you will be connecting to.
  • Next click on the Properties button to setup the authentication type for this profile to Kerberos in the General tab of the Security settings.
  • Click on the Kerberos tab within the Security folder to configure Hummingbird to use your Windows Tickets for authentication by checking the Import Windows Tickets checkbox as well as the Forwarding checkbox. When you are finished click OK to finish the creation of your new connection profile.
  • You are ready to connect using your Active Directory Kerberos Tickets, simply select your newly created profile and click the Connect button.
  • You should be automatically logged into your Unix computer using your Unix enabled Active Directory account.

^ back to contents

For More Information

DirectControl provides a fully configured and automatically maintained MIT Kerberos client environment that is integrated with Active Directory to enable applications such as Host Explorer to securely authenticate the user based on the user's initial login and the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.

For more information on configuring and installing the Kerberos Tools, see Using the DirectControl Kerberos Tools

^ back to contents