Observers Skeptical of Win 2000 Kerberos Plan

FRAMINGHAM (04/24/2000) - In an attempt to answer interoperability questions about its implementation of Kerberos security in Windows 2000, Microsoft Corp. is finally preparing to reveal a key proprietary data format it has been guarding for nearly two years.

But while IT executives and standards watchers have hoped that Microsoft would publish the data format, they are now concerned about a possible Microsoft plan to license the technology instead of making it freely available. They say that action would continue to needlessly tie Kerberos users to Win 2000.

Kerberos is an Internet Engineering Task Force standard authentication and authorization mechanism. Ideally, a standards-based implementation of Kerberos allows for network or Internetwide authentication and authorization regardless of the network operating system.

But Microsoft's implementation of Kerberos uses proprietary data, called a Privilege Access Certificate (PAC), in its Kerberos "tickets." The result is that tickets generated by third-party Kerberos servers, or Key Distribution Centers (KDC), are not valid to access Windows resources, such as files, applications or network devices, even though the KDCs are built around the same Kerberos Version 5 standard.

Microsoft has been saying for more than two years that it would publish PAC data as a way to foster interoperability.

Microsoft followed the Kerberos Version 5 specification but used the PAC in the specification's "auth-data field" on the Kerberos ticket to insert Windows Secure ID information that bounds tickets to Windows Access Control Lists.

The Open Group, which develops DCE Kerberos, and the Massachusetts Institute of Technology, which develops a free KDC, also use the auth-data field to provide user ID but freely publish the data format.

Customers want Microsoft to address the restriction.

"Yes, I would like to see this information published, but whether it would help us with interoperability, I really don't know yet," says Al Williams, director of distributed systems services at Pennsylvania State University's Center for Academic Computing. He has more than 200,000 Kerberos user IDs on a Unix-based KDC and is rolling out Win 2000. Williams says he does not want licensing restrictions and he would not consider Microsoft's Kerberos "standards-based" if licenses are required.

"An open model tends to encourage cooperative partnerships. We feel that type of arrangement is better for all involved," Williams says.

Microsoft officials would not comment on their plans for publishing the PAC data.

Regardless, some say requiring PAC licenses is a way to keep Kerberos users tied to Microsoft.

"We are happy they are living up to their promise of disclosure [of the PAC]," says Paul Hill, a senior programmer analyst at MIT and a member of Kerberos Version 5 development team. "But we are not really happy that they want everyone to license the technology."

MIT's version of Kerberos is freely available, and Hill says MIT won't license the PAC for its server. "How would we pay for it? Our server is free. Putting PAC support in our server just won't happen," he says.

Microsoft, according to sources, hopes developers use the PAC in their applications, therefore tying them into the Win 2000 KDC. That would force non-Windows KDCs to have a trust relationship with Win 2000 KDCs in order to access those applications.

Microsoft could also allow KDC vendors to license and "clone" the PAC on their KDC without running a Win 2000 KDC, but it is not clear if that will be permitted. That would let users bypass Win 2000 and rely on a Unix KDC. But users running Kerberos and Windows applications - such as SQL, Exchange or Internet Information Server - would still have to pay Microsoft for either Win 2000 or for the PAC data format to support access to those resources from a non-Microsoft KDC.

"Microsoft is using its dominance in the application market to help create a monopoly in the server market," Hill says. He's happy Microsoft is using Kerberos because it improves security across the Internet, but "for anyone who runs a competing KDC, Microsoft has usurped the standard and is destroying interoperability."

Analysts say Microsoft is carrying out its unique view of integration.

"This Kerberos tactic is more subtle than usual, but this is the way they promote one technology with another," says Michael Gartenberg, an analyst with the Gartner Group.

Join the newsletter!

Error: Please check your email address.

More about GartnerGartnerInternet Engineering Task ForceMassachusetts Institute of TechnologyMicrosoftMITOpen GroupSystems Services

Show Comments