Interoperability with Windows 2000

Special Considerations for Interoperability

Special Considerations for Interoperability

You must consider the following issues related to interoperability with Windows 2000 implementations.

Database Considerations

Your network can contain more than one server, but only one master copy of the database is propagated to all secondary security servers. In a Windows 2000 Kerberos implementation, an enterprise can contain more than one domain controller, and each domain controller contains a writable copy of the database. Therefore, the two Kerberos implementations cannot share the same database.

You cannot propagate database entries between Kerberos servers and Windows 2000 domain controllers. Do not attempt to set a Windows 2000 domain controller as a secondary security server to a Kerberos primary security server, or vice versa.

Encryption Considerations

In the Kerberos authentication protocol, critical information is never sent in clear text over the network. Instead, the information is encrypted using a specified algorithm. Although the Kerberos server supports 3DES encryption, Windows 2000 requires DES encryption when it interoperates with other Kerberos implementations. Thus, principals in these realms that want to access resources in Windows 2000 domains must use a DES key type.

Postdated Tickets

The Kerberos server and client supports postdated tickets, but the Windows 2000 domain controller and client do not. If you use postdated tickets to run batch procedures over time, be sure the procedure does not need access to Windows 2000 services.

60

Chapter 4

Page 60
Image 60
HP UX Kerberos Data Security Software manual Special Considerations for Interoperability, Database Considerations