Strong Auth Windows Presentation: Installing WRQ® or MIT Kerberos and Exceed 7

Strong Auth Index Page | Presentation Outline

Installing and Configuring Kerberos-Aware Software

Your Choices for On-site Machines

Recommended and supported: WRQ® Reflection (Kerberos client software plus terminal emulation and Xwindows software)

MIT Kerberos client software and Leash 32 GUI for use with Exceed 7.x telnet and FileZilla FTP clients

Heimdal Kerberos for use with Cygwin

Choice 1: WRQ® Reflection

Install and configure two WRQ® Reflection software products:

Security Components v8.0.0 (v9.0 now available with no significant changes; v10.0 is due out around September) which runs the Kerberos Manager on your PC, and

Reflection X v8.0.6 which is a terminal emulation package with Kerberos authentication added.

Before you Install

Verify that you have administrator privileges on the PC.

Verify that you have at least 85 MB of free disk space.

Obtain a Kerberos principal and initial password for the FNAL.GOV realm.

Obtain a license for the WRQ ® Reflection software; contact your group's PC administrator or your local W2K server administrator to request one.

Synchronize the time on your PC to the KDC (instructions at http://www.fnal.gov/docs/strongauth/html/winadmin.html#56191).

Optional: Subscribe to the wrq-users@fnal.gov mailing list.

Automated Installation of WRQ®

A script is available that performs an automated installation of both portions of the WRQ ® Reflection software: Reflection X and Security Components. NT4 and Win2K.

Find script at \\PSeeKits\WRQ\Automated_Reflection_X_Install.

Copy the Automated_Reflection_X_Install directory to a local drive.

Read the README.txt file, and run the Install_WRQ.bat file.

A series of windows will appear and provide status information. Press Enter when prompted to "Press any key to continue".

To install manually, see Chapter 19: Installing and Configuring WRQ® Reflection on a Windows System.

WRQ® Configuration

Configuring WRQ® Reflection Security Components v8.0.0

Instructions are in section 19.6 Configuring WRQ® Reflection Security Components v8.0.0 at http://www.fnal.gov/docs/strongauth/html/winadmin.html#56173.

Configuring WRQ® Reflection X

Instructions are in section 19.7 Configuring WRQ® Reflection X at http://www.fnal.gov/docs/strongauth/html/winadmin.html#55049.

Configuring WRQ® telnet Connections

Instructions are in section 19.8 Configuring WRQ® Reflection telnet Connections at http://www.fnal.gov/docs/strongauth/html/winadmin.html#25613.

Very important!!! Click Security .

which brings you to:

Select the Kerberos tab. Check Reflection Kerberos , Mutual authentication, Forward ticket and optionally Encrypt data stream.

Configuring WRQ® Reflection FTP Connections

Instructions are in section 19.9 Configuring WRQ® Reflection FTP Connections at http://www.fnal.gov/docs/strongauth/html/winadmin.html#32513.

For Kerberized FTP connections, click Security when it comes up, similarly to the telnet setup. Select the Kerberos tab and check Reflection Kerberos .

WRQ® Reflection FTP does not forward ticket or AFS token to remote host. To transfer files to and from AFS space, see: Chapter 20: Installing and Configuring the Windows AFS Client .

Choice 2: MIT Kerberos plus Leash 32 for use with Exceed 7.x telnet

You can get this from PSeekits, at \\PSeekits\DesktopTools/|PC_Tools\Apps\MIT-leash. A Readme.txt file is included with installation instructions. Information also available in Chapter 21: Installing and Configuring MIT Kerberos on Windows, for use with Exceed 7, at http://www.fnal.gov/docs/strongauth/html/winexceed7.html.

Before you Install

Verify that you have administrator privileges on the PC.

Verify that you have at least 60 MB of free disk space (this covers both Kerberos and Exceed).

Obtain a Kerberos principal and initial password for the FNAL.GOV realm.

Obtain a license for the Exceed 7 software; contact your group's PC administrator or your local NT server administrator to request one.

Synchronize the time on your PC to the KDC (instructions at http://www.fnal.gov/docs/strongauth/html/winadmin.html#56191).

Caveats

Although it appears that you can use Leash32 to configure Kerberos for multiple realms, we have only gotten this software to work reliably when configured for accessing a single realm.

Hummingbird Exceed 7.0 FTP connections cannot be Kerberized. (FileZilla has been suggested as a substitute for graphical Kerberized ftp, and is available under \\PSeekits\DesktopTools\Apps\FileZilla_1.6.)

Installation and Configuration

Installing MIT Kerberos

Instructions are in section 21.2 Installing Kerberos at http://www.fnal.gov/docs/strongauth/html/winexceed7.html#55268.

Configuring Kerberos using Leash32

The Leash 32 GUI is packaged with MIT Kerberos for Windows. Instructions are in section 21.3 Configuring Kerberos using Leash32 at http://www.fnal.gov/docs/strongauth/html/winexceed7.html#57451.

Configuring the Exceed 7 Telnet Application

Instructions are in section 21.5 Configuring the Exceed 7 Telnet Application at http://www.fnal.gov/docs/strongauth/html/winexceed7.html#57495.

The most important part of this configuration is in the Security > Kerberos area:

Change the Kerberos Version to Kerberos 5 from the pulldown menu.

In the Common Kerberos Options field, check Authentication and optionally Encryption.

In the Kerberos 5 Options, check Forwarding.

Choice 3: Heimdal Kerberos for use with Cygwin

Before you Install

Verify that you have administrator privileges on the PC.

The full Cygwin installation requires about 300 MB of space. This can be reduced by selecting only the tools desired from the installation.

Obtain a Kerberos principal and initial password for the FNAL.GOV realm.

Synchronize the time on your PC to the KDC (instructions at http://www.fnal.gov/docs/strongauth/html/winadmin.html#56191).

This is described in Chapter 21: Installing and Configuring MIT Kerberos on Windows, for use with Exceed 7, at http://www.fnal.gov/docs/strongauth/html/winexceed7.html.

Install Cygwin

Instructions are in section 22.2 Install Cygwin at http://www.fnal.gov/docs/strongauth/html/cygwin_heimdal.html#58370.

Install Heimdal Kerberos

Instructions are in section 22.3 Install Heimdal Kerberos at http://www.fnal.gov/docs/strongauth/html/cygwin_heimdal.html#58287.

Your Choices for Off-site Machines

The same as for on-site, plus:

Install no Kerberos-aware software, and use CRYPTOCard to connect to Kerberized machines.

Strong Auth Index Page | Presentation Outline