Kerberos Interoperability Testing Workshop hosted by Microsoft

  • Article

A few weeks ago Microsoft’s Kerberos team participated in the Kerberos Interop Workshop organized by the MIT Kerberos Consortium, being hosted here at the Microsoft campus here in Redmond. I had a chance to spend some time with the Microsoft folks (Michiko Short, Jeremy Viegas, Larry Zhu and Yi Zeng from the Microsoft’s Kerberos team) who participated in the event to discuss what happened. We thought it would be interesting to share a quick summary.

This sort of interoperability workshop is an effort to gather developers together in a single location, to actually plug them into a network environment together and help each other work through the interoperability challenges associated with their current development efforts. In attendance were representatives from Cornell University, Centrify, Microsoft, MIT, Safe Mashups, and Sun Microsystems.

A bit of background…

For those of you that aren’t familiar with Kerberos, it is a network authentication protocol developed by MIT as part of a joint project with Digital Equipment Corporation and IBM designed to produce a campus wide distributed computing environment in 1983. Kerberos provides a mutual authentication system, and a high level of encryption, both designed to ensure network and data security. Kerberos was accepted by the Internet Engineering Task Force (IETF) as a standard in 1993. Since its creation Kerberos has become the most widely deployed system for authentication and authorization in modern computing networks.

In September of 2007, MIT founded the MIT Kerberos Consortium to help establish Kerberos as the universal authentication platform for the world’s computer networks and many organizations joined since then (full list here). The consortium hopes that by opening up ongoing development of Kerberos to other interested parties, it will be possible to expand the scope of work being performed, enhance the evolution of Kerberos, and to help engage potential adopters.
The MIT Kerberos has also a group on Facebook.
KerberosOnFacebook

Microsoft’s collaborative efforts regarding MIT and the Kerberos Consortium are nothing new. Microsoft was one of the original sponsors, and is represented on the board of directors by Microsoft’s Director of Development Slava Kavsan. To help standardize the testing processes for Kerberos developers, Microsoft contributed the GSS Monger interoperability testing framework to the consortium. It is now available on Codeplex using MS_PL, as an ongoing open source project.
gssmonger

You may not know, but Microsoft has been using Kerberos as the default authentication package since Windows 2000. You may actually be using Kerberos authentication today in your solutions without even realizing it since it is part of negotiated authentication.

Back to the interoperability plug fest…

How does an interoperability plug fest like this work? Each participant prepares a desired test plan based on their own current projects and challenges, but beyond that the lab is very ad-hoc. All of the participants bring systems with their code/applications to the event; then everybody hooks up to the network and starts testing out scenarios against each other’s applications using MIT realms or Microsoft domains. This collaborative environment allows participants with different implementations of the same standard to test their interoperability in a real world environment, helping to identify and solve the road blocks that might otherwise cause them problems.

One of the scenarios for the plug fest consisted of MIT & Microsoft collaborating on testing efforts for their next release. MIT has developed an implementation of a new Kerberos RFC (jointly defined by MS/MIT, and the IETF standards body). Since it was the first implementation there were no other implementations to be tested against. So, the Microsoft team developed a second implementation for the event for validation/comparison/interoperability testing.

Cornell University came prepared with two scenarios to investigate. The network environment that both scenarios operate under consists of a mixed MIT realm with an Active Directory domain. This results in certain complications when it comes to integrating a Single Sign-on solution. The first of their scenarios was built around integrating CUWebAuth, the open source, Kerberos based, web authentication application they have built, with key IIS services that are connected to a central Active Directory. This integrates single sign-on for Microsoft applications such as Outlook Web Access with other campus web services that require a login. The second of their scenarios centered on integrating WebDav with the Kerberos based login across their network. Complicating matters, the systems used across this network are very diverse and heterogeneous, including desktops running Windows, Linux, and Mac. The Cornell University team has had trouble implementing Kerberos with WebDav on Windows machines that are not part of a domain. Initially, they were uncertain that support for the desired functionality was even possible for Windows based systems. The Microsoft developers attending the plug-fest were able to provide the necessary insights regarding how the problem could be solved on Windows Vista and higher machines.

Peter Bosanko of Cornell University had this to say about the event:

“At the KC Interop we worked side by side with an impressive group of Kerberos experts from MIT and Microsoft. This was extremely fortunate for us because our interoperability issues were all about tying together Microsoft systems with an MIT KDC. By the end of our first day we had already accomplished more than we expected to accomplish over the three day Interop.”

 

What’s in it for Microsoft and other participants?

Interoperability is a key pillar for the Kerberos team. Knowing that many customers are going to have a heterogeneous environment, ensuring that Microsoft’s implementation of Kerberos works with other implementations is considered a key to success. By getting all the people together at events like this gives developers an opportunity to really dig into how we work together in an efficient way, solving problems in real time. Also it allows us to see how our applications interoperate with all sorts of other systems and applications that we normally don’t get the opportunity to see. Finally, it allows us to help explore, expand on, and develop standards while learning from a diverse group of experts.

We were delighted to see the turnout for this event, and wanted to extend a thank you to the MIT Kerberos Consortium for putting this together, and to the Kerberos team here at Microsoft for sharing it with us. With any luck the collaborative efforts of the participants will enable the ongoing development work on the various Kerberos implementations to proceed unhindered.

 

 

Jean-Christophe Cimetiere - Sr. Technical Evangelist