setwindows
windows server 2008 企业版 时间:2021-03-01 阅读:()
CopyrightIBMCorporation2006TrademarksKerberizedauthenticationofWindowsTerminalServicePage1of7KerberizedauthenticationofWindowsTerminalServiceUseIBMNetworkAuthenticationServiceasyourKeyDistributionCenteronAIX5.
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- setwindows相关文档
- 服务器windows server 2008考试复习选择题
- 安装windows-server-2003实验操作报告
- 用户Windows server 2003FTP服务器不同用户的管理
- 服务器08679-windows-server-2003网络管理项目实训教程习题参考答案
- 服务器windows server 2008网络操作系统期末复习题全
- 群集windows-server-2012-hyper-v群集图文教程word版
sharktech:老牌高防服务器商,跳楼价,1G独享$70、10G共享$240、10G独享$800
不知道大家是否注意到sharktech的所有服务器的带宽价格全部跳楼跳水,降幅简直不忍直视了,还没有见过这么便宜的独立服务器。根据不同的机房,价格也是不一样的。大带宽、不限流量比较适合建站、数据备份、做下载、做流媒体、做CDN等多种业务。 官方网站:https://www.sharktech.net 付款方式:比特币、信用卡、PayPal、支付宝、西联汇款 以最贵的洛杉矶机器为例,配置表如...
创梦云 香港沙田、长沙联通2核1G仅需29元一个月 挂机宝7元一个月
商家介绍:创梦云是来自国内的主机销售商,成立于2018年4月30日,创梦云前期主要从事免备案虚拟主机产品销售,现在将提供5元挂机宝、特惠挂机宝、香港云服务器、美国云服务器、低价挂机宝等产品销售。主打高性价比高稳定性挂机宝、香港云服务器、美国云服务器、香港虚拟主机、美国虚拟主机。官方网站:http://cmy0.vnetdns.com本次促销产品:地区CPU内存硬盘带宽价格购买地址香港特价云服务器1...
Contabo美国独立日促销,独立服7月€3.99/月
Contabo自4月份在新加坡增设数据中心以后,这才短短的过去不到3个月,现在同时新增了美国纽约和西雅图数据中心。可见Contabo加速了全球布局,目前可选的数据中心包括:德国本土、美国东部(纽约)、美国西部(西雅图)、美国中部(圣路易斯)和亚洲的新加坡数据中心。为了庆祝美国独立日和新增数据中心,自7月4日开始,购买美国地区的VPS、VDS和独立服务器均免设置费。Contabo是德国的老牌服务商,...
windows server 2008 企业版为你推荐
-
最数码数码相机哪种最好明星论坛www.51.com是一个关于什么的网站?邮箱怎么写工作邮箱怎么填什么是电子邮件 什么是电子邮件快速美白好方法有什么变白的好方法ghostxp3ghost xp sp3 和 windows xp3有啥区别flash导航条flash导航条swf格式的要怎么编辑镜像文件是什么系统镜像是什么中小企业信息化小企业需要信息化吗?需要的话要怎么实现信息化呢?商标注册查询官网如何在网上查询商标是否注册?