Strong Auth Index Page | Presentation Outline

Your Responsibilities

General User On-site

Understand the broad outlines of Fermilab's Strong Authentication policy.
Request a Kerberos principal (an identifier for the realm, akin to a login name) and a Kerberos password.
  • Use online form at
  • Principals should match your FNAL email account.
  • New principals should be chosen to be eight or fewer characters. Please use only lowercase letters (and optionally any numbers 0 through 9). Do not include the characters @ ("at" sign), _ (underscore), / (forward slash) or . (period).
Request a CRYPTOCard if necessary, learn how to use it, and care for it properly.
Use same online form.
Change your initial Kerberos password to an acceptable one of your choosing within 30 days of receipt.
Choice of a trivial password constitues "blatant disregard of computer security"; see Fermilab Policy on Computing. Password guidelines are in manual section 3.1 Your Kerberos Password .
Choose something that's hard to guess but that you can remember, and please make an effort to remember it!!
Learn how to request your Kerberos ticket.
Learn how to use your Kerberos ticket without exposing it to theft.
And last but not least: Treat your Kerberos password as a sacred object!!
  • Do not tell anyone your Kerberos password.
  • Do not write it down anywhere that someone could find it.
  • Do not put it in a file (encrypted or not).
  • As a usual practice, type it only at the console of a system on which you authenticate.
  • Only on very rare occasions when you have no other choice may you pass it over an ENCRYPTED network connection. Verify that ALL connections in the chain are encrypted.
  • Do not use the same character string as your Kerberos password for any other password or any other object. (The one exception: Fermilab W2K domain password; see section 2.3 Kerberos Passwords of the Windows 2000 at Fermilab guide .)
  • If you mistakenly type your Kerberos password over an unencrypted channel, change it immediately!

System Administrator


To realize the full security benefits of Kerberos, we are asking users to do their best, and act in good faith to comply with the policies and guidelines for computer use.

Strong Auth Index Page

Last modified by AH on 8/19/05