In the previous chapters, we focused mostly on the design and implementation of a homogenous Kerberos network. However, the true allure of moving to a Kerberos-based authentication scheme network-wide is to enable centralized authentication, and more importantly, single-sign-on across all platforms. Cross-platform single-sign-on is considered to be a panacea of network authentication, and even with Kerberos, can be very difficult to achieve because of the wide variation between Kerberos implementations. The end objective is for users to have only one set of credentials, a username/password pair that will enable them to access all network resources regardless of the platforms these services may reside on.
These interoperability scenarios are also addressed in a Microsoft document, the Step-by-Step Guide to Kerberos 5 Interoperability, available at http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp.
Using a Windows domain controller as a KDC for
non-Microsoft platforms is trivial to set up; as long as the users
have DES keys enabled in Active Directory, they will be able to
kinit to the Windows domain controller without a problem. The only difference is in administration; you’ll be using MMC to create and modify Kerberos users in this case. Since Microsoft does not implement a kadmin interface similar to MIT or Heimdal’s, creating keytabs for Unix services when ...