setwindows
windows server 2008 企业版 时间:2021-03-01 阅读:()
CopyrightIBMCorporation2006TrademarksKerberizedauthenticationofWindowsTerminalServicePage1of7KerberizedauthenticationofWindowsTerminalServiceUseIBMNetworkAuthenticationServiceasyourKeyDistributionCenteronAIX5.
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- setwindows相关文档
- 服务器windows server 2008考试复习选择题
- 安装windows-server-2003实验操作报告
- 用户Windows server 2003FTP服务器不同用户的管理
- 服务器08679-windows-server-2003网络管理项目实训教程习题参考答案
- 服务器windows server 2008网络操作系统期末复习题全
- 群集windows-server-2012-hyper-v群集图文教程word版
搬瓦工VPS:高端线路,助力企业运营,10Gbps美国 cn2 gia,1Gbps香港cn2 gia,10Gbps日本软银
搬瓦工vps(bandwagonhost)现在面向中国大陆有3条顶级线路:美国 cn2 gia,香港 cn2 gia,日本软银(softbank)。详细带宽是:美国cn2 gia、日本软银,都是2.5Gbps~10Gbps带宽,香港 cn2 gia为1Gbps带宽,搬瓦工是目前为止,全球所有提供这三种带宽的VPS(云服务器)商家里面带宽最大的,成本最高的,没有第二家了! 官方网站:https...
香港云服务器 1核 1G 29元/月 快云科技
快云科技: 12.12特惠推出全场VPS 7折购 续费同价 年付仅不到五折公司介绍:快云科技是成立于2020年的新进主机商,持有IDC/ICP等证件资质齐全主营产品有:香港弹性云服务器,美国vps和日本vps,香港物理机,国内高防物理机以及美国日本高防物理机产品特色:全配置均20M带宽,架构采用KVM虚拟化技术,全盘SSD硬盘,RAID10阵列, 国内回程三网CN2 GIA,平均延迟50ms以下。...
稳爱云(26元),香港云服务器 1核 1G 10M带宽
稳爱云(www.wenaiyun.com)是创建于2021年的国人IDC商家,主要目前要出售香港VPS、香港独立服务器、美国高防VPS、美国CERA VPS 等目前在售VPS线路有三网CN2、CN2 GIA,该公司旗下产品均采用KVM虚拟化架构。机房采用业内口碑最好香港沙田机房,稳定,好用,数据安全。线路采用三网(电信,联通,移动)回程电信cn2、cn2 gia优质网络,延迟低,速度快。自行封装的...
windows server 2008 企业版为你推荐
-
阿里云系统安卓系统和阿里云系统比较?那个很好?优点缺点?比较一下,最近想买,不知道选哪个系统的。绵阳电信绵阳电信宽带资费云播怎么看片云播影视怎么样?显卡温度多少正常电脑显卡温度多少正常?镜像文件是什么什么叫镜像文件,作用是什么?网店推广网站网店怎么推广?ios7固件下载ios 7及以上固件请在设备上点“信任”在哪点?xp系统停止服务XP停止服务后该怎么办?免费免费建站可以不用钱免费做一个网站吗ios系统ios系统和安卓系统对比起来有什么优点和缺点?