setwindows
windows server 2008 企业版 时间:2021-03-01 阅读:()
CopyrightIBMCorporation2006TrademarksKerberizedauthenticationofWindowsTerminalServicePage1of7KerberizedauthenticationofWindowsTerminalServiceUseIBMNetworkAuthenticationServiceasyourKeyDistributionCenteronAIX5.
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
3SandeepRameshPatilPrashantSodhiyaAugust22,2006DiscoverhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNetworkAuthenticationService(IBMNAS)KeyDistributionCenter(KDC)beinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystems.
ItallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
IntroductionKerberos,whichprovidesasecuremeansofauthenticationfornetworkusers,isoneofthemostpopularauthenticationmechanisms.
MostmodernoperatingsystemssupportKerberos-based(Version5)authentication.
IBMAIX5.
3alsosupportsKerberos-basedauthentication.
TheIBMversionofKerberosiscalledIBMNetworkAuthenticationService(IBMNAS),anditcanbeinstalledfromAIX5.
3ExpansionPackCDs.
IBMNASforAIXsupportsbothKerberosclientsandKerberosservers.
ManyenterprisesworldwideuseIBMNASforAIXastheKeyDistributionCenter(KDC)fortheirKerberosrealm.
ItisbeingusedinNetworkFileSystem(NFS)Version4deployment,IBMDB2UniversalDatabase(DB2UDB)security,KerberizedAIXintegratedlogin,enterprise-wideauthentication,andmore.
Todaycustomersgenerallyhaveaheterogeneoussetup,withamixofUNIXandWindowssystems.
AmajorchallengeforadministratorswithheterogeneousenvironmentsistohaveuniformuserIDsandpasswordsacrossdifferentsystems,preferablywithacentralizedauthenticationserver.
MicrosoftWindowsServereditionsprovideafacilitycalledTerminalServicesthatarewidelybecomingpopularintheWindowsworld.
ThisfacilityallowsmultipleuserstologintoadeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage2of7Windowsserversimultaneously.
MicrosoftWindowsServereditionsalsosupportKerberos-basedauthentication,whichisinteroperablewithIBMNAS.
Inthisarticle,administratorslearnhowtoconfiguretheMicrosoftWindows2003ServertoauthenticateTerminalServiceuserswiththeIBMNASKDCbeinghostedontheirAIX5.
3system.
SuchasetupnotonlygivesKerberizedauthenticationforTerminalServiceusers,butitalsoallowsuserstohaveuniformuserIDsandpasswordsacrossAIXandWindowsServersystemsandallowsapplicationdeveloperstoexploittheadvantagesofKerberosinteroperabilitybetweenIBMNASandWindowsinKerberizedapplicationsspanningacrosssystems.
Scenario:IBMNASKDConAIXandKerberizedauthenticationofWindowsTerminalServiceWe'lluseascenariothattakesyouthroughthestepsrequiredtosetupIBMNASKDConanAIXsystemandhaveKerberizedauthenticationofWindowsTerminalServicebyconfiguringWindows2003ServertoIBMNASKDC.
Thefollowingdefinitionsareusedintheexampleinthisarticle:KerberosrealmnameAIXKERBEROS.
IN.
IBM.
COMKDC(IBMNAS1.
4)hostname:fsaix11.
in.
ibm.
com,OS:AIX5.
3WindowsTerminalServicehostname:windce14.
in.
ibm.
com,OS:Windows2003Server(ServicePack1withHotfixforArticleID:902336)Kerberosadministratornameadmin/adminFigure1showsthesetupoftheexample.
Figure1.
Examplesetupibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage3of7InstallingandconfiguringIBMNASServeronAIX5.
3ThissectioncoverstheinstallationandconfigurationofanIBMNASserver(KerberosKDC)onAIX5.
3.
InstallingKerberosKDConAIX5.
3IBMNASisshippedwithAIX5.
3ExpansionPackCDs.
ToinstalltheIBMNASserverpackage,installthekrb5.
server.
rtefileset.
YoucanusethefollowingcommandtoinstalltheNASserverfileset:[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#installp-aqXYgd.
krb5.
serverThenexportthefollowingPATHtoensurethatyouexecuteIBMNAScommandsfromtherespectiveIBMNASdirectories:[root@fsaix11/]#exportPATH=/usr/krb5/sbin:/usr/krb5/bin:$PATHConfiguringKerberosKDConAIX5.
3ToconfigureanIBMNASserveronanAIXmachine,usethecommandinListing1below.
Inthisexample,we'reusingthelegacyconfiguration,wheretheprincipalsarestoredinadatabaseonthelocalfilesystem.
Insteadofthelegacyconfiguration,IBMNASservercanalsobeconfiguredtoLightweightDirectoryAccessProtocol(LDAP)usinganLDAPdirectoryplug-in.
FormoreinformationonconfigurationofIBMNASwithLDAP,seetheIBMNASVersion1.
4AdministrationGuide,shippedwithAIXVersion5.
3ExpansionPackCD.
Listing1.
ConfiguringanIBMNASserveronanAIXmachine[root@fsaix11/]#hostnamefsaix11.
in.
ibm.
com[root@fsaix11/]#/usr/krb5/sbin/config.
krb5-S-din.
ibm.
com-rAIXKERBEROS.
IN.
IBM.
COMInitializingconfiguration.
.
.
Creating/etc/krb5/krb5_cfg_type.
.
.
Creating/etc/krb5/krb5.
conf.
.
.
Creating/var/krb5/krb5kdc/kdc.
conf.
.
.
Creatingdatabasefiles.
.
.
Initializingdatabase'/var/krb5/krb5kdc/principal'forrealm'AIXKERBEROS.
IN.
IBM.
COM'masterkeyname'K/M@AIXKERBEROS.
IN.
IBM.
COM'YouarepromptedforthedatabaseMasterPassword.
ItisimportantthatyouDONOTFORGETthispassword.
EnterdatabaseMasterPassword:Re-enterdatabaseMasterPasswordtoverify:WARNING:nopolicyspecifiedforadmin/admin@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Re-enterpasswordforprincipal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM":Principal"admin/admin@AIXKERBEROS.
IN.
IBM.
COM"created.
developerWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage4of7Creatingkeytable.
.
.
Creating/var/krb5/krb5kdc/kadm5.
acl.
.
.
Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
BecausetheWindowsKerberosimplementationcurrentlysupportsonlyDES-CBC-MD5andDEC-CBC-CRCencryptiontypes,youneedtochangetheIBMNASKerberosserverdefaultencryptionsettingssothattheWindowsworkstationscanauthenticatetoanIBMNASserver.
YoumustmakethefollowingchangesontheAIXmachine(fsaix11.
in.
ibm.
com,inyourcase)hostingtheIBMNASKDC:Editthe/var/krb5/krb5kdc/kdc.
conffileandchangethevalueofsupported_enctypestohavedes-cbc-md5:normalanddes-cbc-crc:normalatthebeginningoftheencryption-typelist.
Afterediting,thesupported_enctypessectionofthe/var/krb5/krb5kdc/kdc.
conffileshouldlooksimilarto:supported_enctypes=des-cbc-md5:normaldes-cbc-crc:normaldes3-cbc-sha1:normalarcfour-hmac:normalaes256-cts:normalRestarttheAIXNASserverdaemons(forexample,krb5kdcandkadmind)sothattheaboveencryption-typechangestakeeffect.
TorestarttheAIXNASserverdaemons,usethefollowingcommands,asshowninListing2.
Listing2.
RestartingtheAIXNASserverdaemons[root@fsaix11/]#stop.
krb5Stopping/usr/krb5/sbin/krb5kdc.
.
.
/usr/krb5/sbin/krb5kdcwasstoppedsuccessfully.
Stopping/usr/krb5/sbin/kadmind.
.
.
/usr/krb5/sbin/kadmindwasstoppedsuccessfully.
Thecommandcompletedsuccessfully.
[root@fsaix11/]#start.
krb5Startingkrb5kdc.
.
.
krb5kdcwasstartedsuccessfully.
Startingkadmind.
.
.
kadmindwasstartedsuccessfully.
Thecommandcompletedsuccessfully.
RequiredKerberosprincipalsfortheWindowsTerminalServiceusersNowyouneedtocreateKerberosprincipalscorrespondingtotheWindowsTerminalServiceusers(andservices)whowishtohaveKerberizedauthenticationoverthenetwork.
Inthissetup,youwantthe"administrator"userofthewindce14.
in.
ibm.
commachinehostingtheWindowsTerminalServicetobeauthenticatedusingIBMNASKDChostedonfsaix11.
in.
ibm.
com,anAIX5.
3machine.
Youarerequiredtocreateadministratorandhost/windce14.
aixkerberos.
in.
ibm.
comKerberosprincipalsusingthekadmin.
localcommandofIBMNASonfsaix11.
in.
ibm.
com,asshownbelowinListing3.
ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage5of7Listing3.
Thekadmin.
localcommand[root@fsaix11/]#kadmin.
localkadmin.
local:ank-pwlaureladministratorWARNING:nopolicyspecifiedforadministrator@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"administrator@AIXKERBEROS.
IN.
IBM.
COM"created.
kadmin.
local:ank-pwlaurelhost/windce14.
aixkerberos.
in.
ibm.
comWARNING:nopolicyspecifiedforhost/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM;defaultingtonopolicy.
NotethatpolicymaybeoverriddenbyACLrestrictions.
Principal"host/windce14.
aixkerberos.
in.
ibm.
com@AIXKERBEROS.
IN.
IBM.
COM"created.
TheadministratorisrequiredtocreateKerberosprincipalscorrespondingtoeachWindowsTerminalServiceuserthatneedsKerberosauthentication.
Inthisexample,wearedemonstratingitonlyforthe"administrator"principal.
Windows2003ServerTerminalServicesreadinessIfyouhavealreadydeployedtheWindows2003ServerTerminalServerinyourenvironment,allyouarerequiredtodoisinstallaMicrosoftHotfixforTerminalServices.
ForTerminalServicestoworkwellwithKerberizedauthenticationconfiguredtoIBMNASKDContheWindows2003Server,youmustinstallaHotfixprovidedbyMicrosoftfortheWindowsServer2003-basedTerminalServer.
OnceyouhaveinstalledtheHotfix(ortheproposedworkaround),youareallsettoconfiguretheWindows2003ServertoIBMNASKDCandruntheWindowsTerminalServicewithKerberizedauthentication.
FordetailedinformationoninstallationandconfigurationoftheMicrosoftTerminalServer,seetheappropriateMicrosoftdocumentation.
ConfigureWindows2003Server(Kerberosclient)toIBMNASserverAfterinstallingtheHotfix,youneedtoconfiguretheWindows2003KerberosclienttotheIBMNASserveronAIX5.
3.
Forthat,youneedtodownloadtheResourceKitToolsfromWindows2003ServerCD,whichinstallstheWindowsKerberosutilities(ksetup,ktpass,andsoon).
ToconfiguretheWindows2003ServertoactasaKerberosclienttotheIBMNASserver:1.
MaketheWindowsServer(windce14.
in.
ibm.
com)apartofyourKerberosworkgroupbysettingittoyourKerberosdomainusingtheksetupcommand:C:\>hostnamewindce14C:\>ksetup/setdomainAIXKERBEROS.
IN.
IBM.
COM2.
ConfiguretheWindowsServermachinetotheKerberosrealmbyspecifyingtheKerberosrealmnameandKerberosservername,asshownbelow:C:\>ksetup/addkdcAIXKERBEROS.
IN.
IBM.
COMfsaix11.
in.
ibm.
com3.
Setthelocalmachineaccountpassword,asfollows:C:\>ksetup/setmachpasswordlaureldeveloperWorksibm.
com/developerWorks/KerberizedauthenticationofWindowsTerminalServicePage6of7ThispasswordmustmatchthepasswordusedwhenyoucreatedtheKerberoshostprincipal(host/windce14.
aixkerberos.
in.
ibm.
com)byinvokingankfromkadmin.
local,explainedearlier.
4.
MaptheKerberosusertoalocalWindowsuser.
Thecommandbelowmapsthelocalwindowsadministratorusertoadministrator@AIXKERBEROS.
IN.
IBM,aKerberosprincipal:C:\>ksetup/mapuseradministrator@AIXKERBEROS.
IN.
IBM.
COMadministrator5.
Restartthecomputerforthechangestotakeeffect.
Figure2summarizesallthestepsexecutedaboveontheWindowsmachine.
Figure2.
ConfigurationofWindows2003ServerasKerberosclienttoAIXKDCTestingthesetupYouarenowallsettoexercisetheKerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDChostedontheAIXV5.
3machine.
LogintotheWindowsServermachine(windce14.
in.
ibm.
com)usingtheRemoteDesktopConnectionfromanyofyourWindowsdesktopmachines.
Onconnection,itpresentsyouwiththelogonscreenforthewindce14.
in.
ibm.
commachine.
SelectLogonto.
YoushouldseethattheKerberosrealmyoucreatedisalsopresentinthedrop-downlist.
NowenteryourKerberosusernameandthepassword(inthiscase,theusernameisadministratorandthepasswordislaurel),selectAIXKERBEROS.
IN.
IBM.
COM(KerberosRealm)ibm.
com/developerWorks/developerWorksKerberizedauthenticationofWindowsTerminalServicePage7of7inthe"Logonto"option,andselectOK.
ThiswillthencarryouttheKerberizedauthenticationprocess,anduponsuccesswilllogtheTerminalServiceuserintotheWindowsmachine.
Figure3showstheRemotelogintotheWindowsservermachine.
Figure3.
KerberizedauthenticationofWindowsTerminalServiceusersagainstIBMNASKDCConclusionThisarticleexplainshowadministratorscanusetheIBMNASKDConAIX5.
3forauthenticationofWindows2003TerminalService.
Thisshouldhelpsimplifyadministration,anditalsoallowsuserstohavecommonuserIDsandpasswordsacrossAIXandWindowsTerminalServicesystems.
CopyrightIBMCorporation2006(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- setwindows相关文档
- 服务器windows server 2008考试复习选择题
- 安装windows-server-2003实验操作报告
- 用户Windows server 2003FTP服务器不同用户的管理
- 服务器08679-windows-server-2003网络管理项目实训教程习题参考答案
- 服务器windows server 2008网络操作系统期末复习题全
- 群集windows-server-2012-hyper-v群集图文教程word版
欧路云(22元) 新增美国Cera线路VPS主机且可全场8折
欧路云(oulucloud) 商家在前面的文章中也有陆续介绍过几次,这不今天有看到商家新增加美国Cera线路的VPS主机,而且有提供全场八折优惠。按照最低套餐最低配置的折扣,月付VPS主机低至22元,还是比较便宜的。不过我们需要注意的是,欧路云是一家2021年新成立的国人主机商,据说是由深圳和香港的几名大佬创建。如果我们有介意新商家的话,选择的时候谨慎且月付即可,注意数据备份。商家目前主营高防VP...
WebHorizon($10.56/年)256MB/5G SSD/200GB/日本VPS
WebHorizon是一家去年成立的国外VPS主机商,印度注册,提供虚拟主机和VPS产品,其中VPS包括OpenVZ和KVM架构,有独立IP也有共享IP,数据中心包括美国、波兰、日本、新加坡等(共享IP主机可选机房更多)。目前商家对日本VPS提供一个8折优惠码,优惠后最低款OpenVZ套餐年付10.56美元起。OpenVZCPU:1core内存:256MB硬盘:5G NVMe流量:200GB/1G...
无法忍受旧版不兼容PHP7+主题 更换新主题
今天父亲节我们有没有陪伴家人一起吃个饭,还是打个电话问候一下。前一段时间同学将网站账户给我说可以有空更新点信息确保他在没有时间的时候还能保持网站有一定的更新内容。不过,他这个网站之前采用的主题也不知道来源哪里,总之各种不合适,文件中很多都是他多年来手工修改的主题拼接的,并非完全适应WordPress已有的函数,有些函数还不兼容最新的PHP版本,于是每次出现问题都要去排查。于是和他商量后,就抽时间把...
windows server 2008 企业版为你推荐
-
ptrint(*ptr)*()怎么理解?快递打印快递单打印时快递单子怎么放置?缓冲区溢出教程如何防止高手使用缓冲区溢出?arm开发板新手入门应如何选择 ARM 开发板?9flash怎么使用ePSXe啊?办公协同软件求一款国内知名的OA办公软件,谁知道有哪些呢?硬盘人硬盘是指什么人开机滚动条谁会调开机的滚动条qq空间打扮如何打扮QQ空间?人人逛街包公免费逛街打一成语