OUCS has initiated a project to investigate a central Active Directory for Oxford University. This is intended to bring enhanced support for integration of Microsoft AD based environments with central identity and access management services. At a very basic level it is hoped that this will offer a Microsoft-supported mechanism for providing single sign-on to systems running a wide variety of Microsoft products.
The ability to offer initial sign-on to Microsoft workstations (through the Welcome screen / GINA) and seamless subsequent access to domain-based resources has been available for several years (see https://wiki.oucs.ox.ac.uk/itss/KerberosADTrust). Active Directory uses the Kerberos (version 5) protocol for user authentication – this has been the case since Active Directory was launched in Windows 2000 (see, e.g. http://technet.microsoft.com/en-us/library/bb742516.aspx), and Microsoft recommends Kerberos rather than NTLM (http://msdn.microsoft.com/en-us/library/aa378749%28VS.85%29.aspx).
Microsoft’s Kerberos implementation makes use of some optional features – worthy of note is the inclusion of a Privilege Account Certificate (PAC) in the service ticket to convey information about SIDs and group memberships – but is still fully compatible with other popular Kerberos implementations such as MIT-Kerberos. As such, it is relatively straight forward to configure a “cross-realm trust” so that users can login using their credentials in the Oxford Kerberos realm (OX.AC.UK – used for Oxford SSO authentication) to login to an Active Directory domain. There are currently around 35 Active Directory domains registered for cross-realm trust.
Technically then, a working solution is already in place – applications that are designed to run in an Active Directory environment appear to work smoothly in this configuration and the user gets the single sign-on experience that they want. There are, however two issues that crop up:
- There is very little up-to-date information about the bigger picture in which these trust relationships are implemented – an end-to-end analysis needs to look at server roles & applications, client systems, and the federated nature of IT service provision at Oxford.
- Although Microsoft officially supports Kerberos trust relationships between two Microsoft Active Directory domains, they are far less clear about their position regarding trust relationships with other Kerberos implementations. There is a risk that the cross-realm trust could stop working following a hotfix, service pack, or platform upgrade.
Project MADDOX is a two-stage project designed to address both of these issues.
The first stage of the project involves building numerous environments incorporating Active Directory, server, and client components in differing configurations to find out what does, and does not, work. Tests will compare the results of Active Directory to MIT-Kerberos cross-realm trusts against Active Directory to Active Directory trusts (which are fully supported by Microsoft). It is expected that this stage will be completed towards the end of August 2011.
Following this, it is expected that a top-level Active Directory “authentication” domain will be created to support user authentication to other Active Directory domains deployed around the University (see http://technet.microsoft.com/en-us/library/cc757352%28WS.10%29.aspx for an outline of domain trust models). This will form an addition to the suite of identity and access management services offered by OUCS, offered initially as a pilot to establish demand, expected to be available towards the middle of Michaelmas Term 2011.