setwindows

windows server 2008 企业版  时间:2021-03-01  阅读:()
CopyrightIBMCorporation2006TrademarksKerberizedauthenticationofWindowsTerminalServicePage1of7KerberizedauthenticationofWindowsTerminalServiceUseIBMNetworkAuthenticationServiceasyourKeyDistributionCenteronAIX5.
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)

Gcore(75折)迈阿密E5-2623v4 CPU独立服务器

部落分享过多次G-core(gcorelabs)的产品及评测信息,以VPS主机为主,距离上一次分享商家的独立服务器还在2年多前,本月初商家针对迈阿密机房限定E5-2623v4 CPU的独立服务器推出75折优惠码,活动将在9月30日到期,这里再分享下。G-core(gcorelabs)是一家总部位于卢森堡的国外主机商,主要提供基于KVM架构的VPS主机和独立服务器租用等,数据中心包括俄罗斯、美国、日...

百纵科技:美国独立服务器租用/高配置;E52670/32G内存/512G SSD/4IP/50M带宽,999元/月

百纵科技怎么样?百纵科技国人商家,ISP ICP 电信增值许可证的正规公司,近期上线美国C3机房洛杉矶独立服务器,大带宽/高配置多ip站群服务器。百纵科技拥有专业技术售后团队,机器支持自动化,自助安装系统 重启,开机交付时间 30分钟内交付!美国洛杉矶高防服务器配置特点: 硬件配置高 线路稳定 洛杉矶C3机房等级T4 平价销售,支持免费测试,美国独服适合做站,满意付款。点击进入:百纵科技官方网站地...

TabbyCloud周年庆&七夕节活动 美國INAP 香港CN2

TabbyCloud迎来一周岁的生日啦!在这一年里,感谢您包容我们的不足和缺点,在您的理解与建议下我们也在不断改变与成长。为庆祝TabbyCloud运营一周年和七夕节,TabbyCloud推出以下活动。TabbyCloud周年庆&七夕节活动官方网站:https://tabbycloud.com/香港CN2: https://tabbycloud.com/cart.php?gid=16购买链...

windows server 2008 企业版为你推荐
flash导航条如何用Flash制作简单的导航栏照片转手绘如何把真人图片用photoshop做成手绘图片如何建立一个网站要建立一个网站怎么弄啊?蘑菇街美丽说蘑菇街美丽说唯品会天猫京东。女生买衣服,哪个好安装迅雷看看播放器怎样安装迅雷看看播放器ios系统ios系统的手机有哪些?gbk编码表GBK码表怎么查服务器连接异常手机服务器连接异常域名库求解:请将您的域名:别名(CNAME)主机解析到idc1.xiaodoutao.com网站排名靠前怎么让自己的网站排名靠前
广州主机租用 域名主机基地 骨干网 网站监控 私有云存储 网站被封 空间服务商 免费smtp服务器 云鼎网络 本网站在美国维护 美国十次啦服务器 七夕快乐英文 91vps 香港亚马逊 沈阳主机托管 lamp兄弟连 实惠 电信宽带测速软件 云服务是什么意思 register.com 更多