Published: October 4, 2005
DirectControl integrates Unix systems into Active Directory to enable centralized management of user authentication and authorization. Most users will have already authenticated to their Windows workstation and need to access the Unix system remotely over the Enterprise network. One of the benefits of using Active Directory and DirectControl is the ability to leverage the built-in Kerberos infrastructure to securely authenticate a user from one computer to the next as they need to access resources without requiring the user to re-submit authentication credentials.
Host Explorer from Hummingbird provides support for Kerberos security through the addition of Hummingbird Connectivity Secure Shell, which provides the Kerberos support to enable Windows users to use Host Explorer to seamlessly and securely access remote Unix systems that have been integrated into Active Directory with DirectControl and that are running Kerberized telnet servers. The following instructions will guide you through configuring and connecting to a Unix computer using Host Explorer from a Windows computer.
DirectControl needs to be installed and joined into an Active Directory Domain on the Unix computer that you will be connecting to. Additionally, you need to ensure that you have a kerberized telnet server running on the Unix system.
Centrify has made a Kerberos Tools package available that includes a kerberized telnet daemon which is linked with the DirectControl Kerberos environment to properly authenticate Active Directory users. Please see the Centrify Resource Center for more information on installing the Kerberos Tools.
Hummingbird Host Explorer 10 can be configured to support kerberized connections from Windows to other computers which are properly configured to accept Kerberized telnet connections. You will need to install Hummingbird Secure Shell or Connectivity Kerberos in order to enable Host Explorer to establish secured connections seamlessly to Unix hosts integrated with Active Directory through DirectControl.
The Hummingbird Kerberos solution does need to be configured properly in order to work with the Active Directory Kerberos infrastructure that DirectControl leverages for seamless and secured user authentication. The following steps are required to enable the usage of Kerberos for single sign-on.
The Windows XP workstation first needs to be configured to allow session keys to be sent in the Kerberos ticket-granting ticket.
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
Hummingbird is now configured properly to support Active Directory Kerberos ticket to automate the user's login to the Unix computer running DirectControl. Next, we simply need to start a kerberized telnet session to the host.
The following instructions will show the options to select for a Kerberized telnet connection to a Unix host.
DirectControl provides a fully configured and automatically maintained MIT Kerberos client environment that is integrated with Active Directory to enable applications such as Host Explorer to securely authenticate the user based on the user's initial login and the mutual trust relationship that both the user and the computers share through the Active Directory domain controller infrastructure.
For more information on configuring and installing the Kerberos Tools, see Using the DirectControl Kerberos Tools