Chapter 19: Installing and Configuring WRQŽ Reflection on a Windows System

Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home


View/print PDF file

Strong Authentication at Fermilab

Chapter Contents

Chapter 19: Installing and Configuring WRQŽ Reflection on a Windows System
  19.1 Getting Ready
  19.2 Automated Installation of WRQŽ Reflection v10.0.0
  19.3 Time Synchronization
    19.3.1 WRQŽ Reflection 10.0.0
    19.3.2 WRQŽ Reflection 8.0.0
  19.4 Configuring WRQŽ Reflection Kerberos Manager v9.0.0
  19.5 Configuring WRQŽ Reflection X
  19.6 Configuring WRQŽ Reflection OpenSSH Connections
    19.6.1 For Kerberized Host
    19.6.2 For nonKerberized Host
    19.6.3 Create a Template Configuration
  19.7 Configuring WRQŽ Reflection telnet Connections
    19.7.1 For Kerberized Host
    19.7.2 For nonKerberized Host
    19.7.3 Create a Template Configuration
    19.7.4 Connect to Host with X Application Startup
  19.8 Configuring WRQŽ Reflection FTP Connections
    19.8.1 Create a Profile for FTP to Kerberized Host
    19.8.2 Connect to nonKerberized Host
    19.8.3 Edit an FTP Setup

Chapter 19: Installing and Configuring WRQŽ Reflection on a Windows System

In this chapter we describe how to install and configure the WRQŽ Reflection software on your Windows system (Windows 2000, NT4, XP1) in order to authenticate to Kerberos from your Windows desktop, access Kerberized machines, and optionally encrypt your data transmissions. This has been updated for WRQŽ Reflection v10.0.0.

19.1 Getting Ready

First, verify that you have administrator privileges on the PC. Next, you need to obtain a Kerberos principal and initial password for the FNAL.GOV realm. See section 3.1 Your Kerberos Principal.

For PCs running Windows Windows 2000 (also called W2k), XP, NT4, 95 or 98, you need to install two WRQŽ Reflection software products, Reflection Kerberos Manager which runs the Kerberos Manager on your PC, and Reflection X which is a terminal emulation package similar to Hummingbird eXceed, but with Kerberos authentication added.

Notes:

You need a license for the WRQŽ Reflection software; contact your group's PC administrator or your local W2k/NT server administrator to request one.
You do not need to remove previous versions of the software before installing these components (except on XP).
Installing the recommended components of the WRQŽ Reflection v10.0.0 product will consume about 55 MB of disk space.
It is possible to run WRQŽ Reflection with other terminal emulation products, however the Computing Division may not support combined installs.
After installing this software you will still log into your PC the same way as before (e.g., for the W2k Kerberized domain, use your W2k Kerberos password). You will need to provide your FNAL realm principal and Kerberos password only when you run the Kerberos Manager or attempt to connect to a Kerberized node over the network from your PC.
You can configure the Reflection software to access nonKerberized nodes, or (as of version 10.0.0) to access ssh-only nodes.
The Reflection X portion of the software must be installed before the Security Components portion; the automated install takes care of this.

Subscribe to the wrq-users@fnal.gov mailing list to receive announcements about this product, to benefit from other users' experiences and to share your own, or to ask questions.

19.2 Automated Installation of WRQŽ Reflection v10.0.0

A script is available that performs an automated installation of both portions of the WRQŽ Reflection software: Reflection X, and Reflection Security Components. It has been successfully tested on NT4, XP and Win 2000. It may work on Windows ME, 98 and 95 as well, but has not been tested.

The WRQŽ Reflection v10.0.0 installation script is located at \\PCKits\WRQ\Reflection_10.0.0\Install_WRQ.bat.

Read the README.txt file; we reproduce it here:
Instructions to install WRQ Relection X and Security Components using 
the automated script. 
 
This script has been tested on Windows 2000, and Windows XP.  
W2K - you may upgrade 
XP - you need to deinstall your existing version and reinstall 10.0.0. 
 
1) Ensure that one of the following two conditions exists: 
   a) the \\pckits\WRQ area is mapped to a drive letter (even if this area 
      appears in your network listing, the installation will only work 
      if the area is MAPPED TO A DRIVE LETTER) 
or 
   b) the Automated_Install directory is copied to a local drive. 
 
2) To launch the install, double click on Install_WRQ.bat and follow 
   the prompts in the Command Prompt window that opens. 
 
3) Note that if your program files folder is not "C:\Program Files" 
   the automated install will stop after installing the Reflection X 
   product and give you instructions on how to install and configure 
   the Security Components. 
Run the Install_WRQ.bat file by double-clicking on it. You will need to respond to a series of questions, reproduced here. Answer each with a "y" for "yes", as shown. A series of windows will appear and provide status information.
This will install WRQ Reflection 10.0 with Security Components 10.0 
Do you want to continue [Y,N]?y 
Installing WRQ Reflection 
Wait for the installation window to disappear, then 
Press any key to continue ... 
Installing WRQ Security Components. 
Wait for the installation window to disappear, then 
Press any key to continue ... 
Do you wish to install the default FNAL realms[Y,N]?y 
Writing the realm defaults into the Registry 
Do you wish to update your services file[Y,N]?y 
Install of Reflection X and Security Components has completed. 
ECHO is off. 
Please reboot! 
Press any key to continue ... 
Reboot as instructed. The Reflection products will appear in your Start menu under Programs. The Kerberos Manager configuration should reflect the FNAL production realm when done.

19.3 Time Synchronization

Kerberos requires a time sync within five minutes, each machine to its local time zone. Version 10.0.0 of the WRQŽ Reflection software includes time sync software (versions 9.0.0 and 7.0.2 also did; version 8.0.0 did not).

19.3.1 WRQŽ Reflection 10.0.0

Navigate to Start > Programs > Reflection > Utilities > Reflection TimeSync to open the Reflection TimeSync application.
Make sure the Synchronize tab is selected.
Under Time Servers enter the IP addresses of the default primary and secondary time servers. Use the Fermilab core router 131.225.8.200 as primary and 131.225.17.200 as secondary. Check NTP for both.
Under Time synchronization, check Automatically synchronize time: and check Once at system startup, or if you don't restart your machine frequently, the other option is better (the default 1000 mSec accuracy is fine).
Again under Time synchronization, click Synchronize Now to set the system clock and check the time server setting.
Click OK.

19.3.2 WRQŽ Reflection 8.0.0

Windows 2000 Host

If you first want to see what your Time service is set to on your Win2K machine, pull up the command prompt, and query the setting by issuing:
% net time /querysntp 
To synchronize the time, issue the following command:
% net time /setsntp:131.225.xx.200 
where 131.225.xx.200 is the IP address of your network gateway at Fermilab. Stop and restart the network time service, by running:
% net stop "windows time" 
% net start "windows time" 
Windows NT Host

To synchronize the time on an NT machine, we recommend the MicroSoft utility TIMESERV. This is part of the Windows NT resource kit, and called Timeserv.exe. The servers are configured to look at the gateway given in the IP request.

19.4 Configuring WRQŽ Reflection Kerberos Manager v9.0.0

This section has purposely not been updated for v10.0.0; we encourage you to use the automated install, in which case you don't need to configure the software manually.

In this section we assume you've just installed WRQŽ for the first time via the automated install script. Most of the configuration is done for you. Your software should recognize the FNAL.GOV realm, and your principal should be set up.

Navigate to Start > Programs > Reflection > Utilities > Kerberos Manager to open the Reflection Kerberos Manager application. Pull down the Configuration > Configure Realms... menu, make sure the Configuration tab is selected. Highlight the FNAL.GOV realm and click the User Defaults tab.
On the User Defaults screen, the default realm should show FNAL.GOV. Set the default ticket lifetime to 23 hours (or less)2. Click OK.
Your default principal profile, <your_principal_name>@FNAL.GOV, should be created and configured properly by the automated install. If you wish to store your Kerberos credentials in memory rather than in a file3, you'll have to create a new principal profile. To do so, continue with the next step. To use the existing profile, skip to step 7.
To create a new profile, on the Reflection Kerberos Manager window, select Credentials > New principal profile.... On the Enter Principal screen, check that your principal name is correct and that the Realm shows FNAL.GOV; they should be filled in by default. Click OK.
On the Create New Principal screen, you can leave the Credentials storage name as given. For Storage Media, you can accept the File default, or you can choose Memory for higher security. Click Create. Your newly created profile is automatically set as the default profile (notice the blue check next to it).
Remove your original profile. First make sure it is no longer set as the default profile. (Select the new one and click Set As Default Profile if necessary.) Select your original profile and click Credentials > Remove Principal Profile. Click Yes at the confirmation prompt.
To go ahead and authenticate, click Credentials > Authenticate... and enter your Kerberos password when prompted. You should see a ticket-granting ticket krbtgt/FNAL.GOV@FNAL.GOV. If you receive an error message instead, check that the above steps were followed correctly and that you typed the right password. Also check the Time Sync (see section 19.3 Time Synchronization). If you continue to receive an error message, send the exact error message text to nightwatch@fnal.gov.
If you haven't changed your initial Kerberos password (which expires 30 days after it is created), you can change it now. Back on the Reflection Kerberos Manager window, from the Tools menu select Change Password... and change it. See section 3.2.2 Choosing a Kerberos Password for information on choosing passwords.
You may want to create a shortcut for the Reflection Kerberos Manager application in your Programs > Startup folder to start the application automatically each time you log into Windows.
Proceed with the configuration of Reflection X, below.

19.5 Configuring WRQŽ Reflection X

This section has purposely not been updated for v10.0.0; we encourage you to use the automated install, in which case you don't need to configure the software manually.

Invoke the Reflection X Client Manager using the Start menu. You will be prompted to run the Reflection X Performance Tuner. Click Yes to run these tests to optimize performance before using the X client manager.
The Reflection X Client Manager next prompts you to Select XDMCP Host. Click No if you don't use XDMCP (X Display Manager Control Protocol) to start clients.
Now you have the option to let the client wizard create Reflection X client files for you. If you say yes, follow the wizard's instructions.
At the bottom of the Reflection X Client Manager window, click Never close client starter connection under the Advanced button. Also select KERBERIZED TELNET as the method.
If you logged on as Administrator, log off and log back on with your normal userid.
You may want to create a shortcut for the Reflection X Client Manager application in your Programs > Startup folder to start the application automatically each time you log into Windows. If so, we recommend that you specify "Run: Minimized" in the shortcut properties.

19.6 Configuring WRQŽ Reflection OpenSSH Connections

You can define an OpenSSH configuration (profile) specific to each host you need to access, and save each one to a file. To run OpenSSH to a particular host, you just run its corresponding profile (see section 4.6 Logging In Through WRQŽ Reflection Software from Windows).

19.6.1 For Kerberized Host

To configure the Reflection OpenSSH client to access a remote Kerberized system, first open Start > Programs > Reflection > Host - UNIX and Digital.
To configure your profile, start from the Untitled - Reflection for UNIX and Digital window. Pull down the Connection > Connection Setup... menu, click the Network radio button in the Connect using area, and make sure OPENSSH is highlighted in the scroll box:

Fill in the Host name of your target Kerberos system Very important!!! Click Security.

The default Protocol and Port numbers are fine. Change Authentication to Kerberos key exchange. Compression and Logging level settings are optional. Click OK.
Back on the Connection Setup window, click Connect.

19.6.2 For nonKerberized Host

Follow the same procedure as in section 19.6.1 For Kerberized Host, but on the Reflection OpenSSH Client Settings window, choose the Authentication method appropriately for the target system.

19.6.3 Create a Template Configuration

To create a template OpenSSH profile, first create and save a model profile for any Kerberized or nonKerberized host, as appropriate, as described in the preceding sections. Pull up that profile, use it to log on to the host, and exit out. Select Connection > Connection Setup.... Remove the host name from the configuration and save it as a template file (choose an appropriate filename). To use the template to create a host-specific profile, bring up the template, add the desired host name, and save it to a different file with a host-specific name.

19.7 Configuring WRQŽ Reflection telnet Connections

You can define a telnet configuration (profile) specific to each host you need to access, and save each one to a file. To run telnet to a particular host, you just run its corresponding profile (see section 4.6 Logging In Through WRQŽ Reflection Software from Windows).

19.7.1 For Kerberized Host

To configure the Reflection telnet client to access a remote Kerberos system, first open Start > Programs > Reflection > Host - UNIX and Digital.
To configure your profile, start from the Untitled - Reflection for UNIX and Digital window. Pull down the Connection > Connection Setup... menu, click the Network radio button in the Connect using area, and make sure TELNET is highlighted in the scroll box:

Fill in the Host name of your target Kerberos system. Very important!!! Click Security.

Select the Kerberos tab. Check Reflection Kerberos.
Principal: Select your FNAL principal name from the pull-down list.

Realm: Assuming the target host is in the FNAL.GOV realm and FNAL.GOV is the default realm set in Kerberos Manager, select either (default) or FNAL.GOV.

User ID: If your user id on the target host doesn't match your principal, fill in the user ID.

Mutual authentication should be checked by default; leave it checked.

Check just Forward ticket, or check both that and Encrypt data stream. If you have forwardable tickets and choose Forward tickets, then you can make further connections to other Kerberized machines without having to type your Kerberos password over the net, so you may not need an encrypted connection. (Whenever you authenticate via the Kerberos Manager, you will need to check Forwardable in order to obtain tickets that can be forwarded by this telnet connection.) Conversely, if you don't forward tickets, then you must make sure not to do anything that involves typing your Kerberos password over the net, even if you check Encrypt data stream.

To request a renewable ticket (maximum lifetime at Fermilab defined as seven days), enter a non-zero lifetime value under Renewable ticket. Seven days is provided as a default. (Whenever you authenticate via the Kerberos Manager, you will need to specify a non-zero Renewable lifetime in order to get tickets that can be renewed. The lesser of the two renewable lifetimes value is used.)

Click OK to return to the Connection Setup window.

If you want to connect immediately, click Connect. (If you haven't already run Kerberos Manager to obtain a ticket-granting ticket, you'll be prompted for your Kerberos password and then logged in. If you don't want to connect now, just click OK.
Optional: From the Reflection for UNIX and Digital window you can go to the Setup menu and choose to configure a number of nonessential but useful features in the areas of terminal emulation, keyboard mapping, mouse mapping, display, and so on.
If you will be logging onto several different hosts, it is particularly useful to set each Window Title to the host name (use &h). For instructions, in the Setup > Display... > Options dialog box, click on the ? (upper right corner, as usual), then on Window Title > Details.

Run File > Save As to save the host-specific settings in a file that you name. The system prompts you to save the file in the Programs\Reflections folder.
To start a telnet session to the host for which the profile was created, navigate to Start > Programs > Reflection > Host - UNIX and Digital. Pull down the File menu, select Open, and double-click the configuration file name. If you haven't yet authenticated, you will need to provide your Kerberos password. It does not go over the net when typed at this point.

19.7.2 For nonKerberized Host

For connections allowing weak (standard) authentication, you don't need to worry about the Kerberos Manager since credentials aren't an issue. To configure a standard telnet profile, follow the same steps as in section 19.7.1 For Kerberized Host, but make sure the host name is a nonKerberized node, and eliminate step (3) which sets the Kerberos security.

19.7.3 Create a Template Configuration

Follow the procedure described in section 19.6.3 Create a Template Configuration.

19.7.4 Connect to Host with X Application Startup

Here we describe how to create a profile to use for connecting to a host and starting a generic X application. (This procedure is somewhat dependent on the target OS.)

Be aware that this method provides unencrypted connections only, so use this only for applications that don't require Kerberos authentication.

The easiest way to create a profile is to use the X client wizard. Go to Start > Programs > Reflection > Wizards > X ClientWizard and follow the instructions. To do it manually, follow the instructions that follow here.

Use Start > Programs > Reflection > Reflection X to start the Reflection X Client Manager if it isn't already running.
Use File > New... to open the New Connection dialog, and select Client Connection and click OK; or (in "Split Window Vertically" view) highlight an existing connection in the left pane of the X Client Manager window to use as a template.

On the right hand side, under Connection settings pull down Method, and scroll down and select KERBERIZED TELNET.
Enter the Host name or select it from the pull down list. (The pull down list is generated from the replies to the XDMCP broadcast plus any systems you have used recently.)
Enter the following Command for execution on the remote host:
(setup <Xprogram>; <Xprogram> -display %IP#% &)

where <Xprogram> is some X application, for example exmh or xemacs. The special string IP# substitutes the IP address and display number of the local display (i.e., the PC). Make sure that your UNIX login files don't reset this variable to a different display. Other special strings are documented in the Reflection X help file under "Command Line Macro Syntax".

Click the Connect button to establish the connection and run the remote command. (If you haven't already run Kerberos Manager to obtain a ticket-granting ticket, you'll be prompted for your Kerberos password. It's OK to enter it at this stage.)
Choose File > Save or File > Save As... to permanently save the settings.

Other remote client commands and variations are left as an exercise for the reader(!).

Troubleshooting

To debug the dialog between the X Client Manager and the remote host, select Connection > Host Response before clicking the Connect button.
The remote host's prompt character(s) must be recognized by the X Client Manager for the connection script to work correctly. Add the correct character(s) if they're not already in the list(s) by selecting Advanced....

There is extensive on-line help for other problems or applications.

19.8 Configuring WRQŽ Reflection FTP Connections

19.8.1 Create a Profile for FTP to Kerberized Host

Navigate to Start > Programs > Reflection > FTP Client.
Click New in the Connect to FTP Client screen. This brings you to the FTP wizard. On the Add FTP Site screen, fill in the name or IP address of the Kerberized host and click Next >.

In the Login Information box, click the User radio button and click Advanced.... to get to the <host> Properties screen.
With the General tab selected, click Security to get to the Security Properties screen. Select the Kerberos tab. The screen is similar to the Security screen for configuring telnet connections in section 19.7 Configuring WRQŽ Reflection telnet Connections.
Check Reflection Kerberos.

For a target host in the FNAL.GOV realm, enter your FNAL.GOV principal name and select either (default) or FNAL.GOV for the realm.

If your user id on the target host doesn't match your principal, fill in the user ID.

Mutual authentication and Verify data integrity should be checked by default; leave them checked.

You may check Encrypt data stream, but it usually isn't necessary.

Check Forward tickets. Version 10.0.0 is the first version of Reflection's FTP client for which this option is available!

Click OK twice to return to the Login Information screen. Click Next >.
In the FTP User Login screen, your username should be filled in. Don't check Save my password as encrypted text. Click Next >.
On the Connect screen, verify the name of the FTP host, choose whether you want to connect immediately, then click Finish. Note that in order to connect, the default realm set in User Preferences (see number [2] in section 19.4 Configuring WRQŽ Reflection Kerberos Manager v9.0.0) must be set to the default realm of the target FTP host.

19.8.2 Connect to nonKerberized Host

For connections allowing weak (standard) authentication, you don't need to worry about the Kerberos Manager since credentials aren't an issue. To configure a standard FTP connection profile, follow the same steps as in section 19.8.1 Create a Profile for FTP to Kerberized Host, but make sure the host name is a nonKerberized node, and don't bother with Advanced... in step (3). Instead, click Next > and continue from step (6).

19.8.3 Edit an FTP Setup

Open Start > Programs > Reflection > FTP Client.
In the Connect to FTP Site screen, select a configuration file and click Properties.

1
The procedures are expected to work also on Windows ME, 98 and 95, although these operating systems have not been tested.

2
If you leave it as zero, then when you authenticate, the default lifetime is set to 8 hours. It's easier to set it to the right value once in the configuration rather than to set it each time you authenticate.

3
Storing your credentials in memory causes your credentials to be destroyed when the Reflection Kerberos Manager and all Kerberized applications are closed. If you choose to store them in a file (the default), we recommend that you also check Clear All Tickets On Shutdown under the Configuration menu. Clear All Tickets On Shutdown causes all tickets on the PC to be cleared when you close the last application that was using Kerberos authentication. See also the application's Help for "Storing Your Principal Profiles and Credentials".


View/print PDF file

Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home

Security, Privacy, Legal

This page generated on: 12/17/02 11:13:46