Environment
Situation
To use Reflection's Kerberos Client, you must be running a Kerberos 5 credentials server (Key Distribution Center - KDC) and kerberized Telnet or FTP server software. This technical note lists third-party vendors who supply software and servers that can be used with Reflection's Kerberos Client.
Resolution
Kerberized Software and Servers
The companies listed below supply Kerberos server software and kerberized application servers. These products provide a complete solution for use with kerberized Reflection products.
MIT Public Domain Reference Implementation
MIT develops Kerberos 5 KDC and kerberized application servers. Reflection Kerberos provides support for the MIT Kerberos 5 reference releases, which are academic demonstration UNIX software with very limited support. Attachmate has tested and approved the krb5-1.0.x, through 1.8 releases of MIT’s Kerberos implementations. For more information, visit the MIT Kerberos web site:
Microsoft Corporation
Microsoft’s Windows 2000, 2003, and 2008 Active Directory servers use Kerberos for authentication of users on Windows operating systems and thus may be used as Kerberos KDCs. Currently, Microsoft does not provide kerberized Telnet or FTP servers. For information about Microsoft’s Kerberos implementations, visit the Microsoft web site:
Microsoft also provides information about configuring Microsoft and MIT KDCs and servers for interoperability on the following web page:
Centrify DirectControl
Centrify DirectControl provides a service that allows Kerberos applications to work transparently with Microsoft Active Directory. The Centrify site offers more information:
Quest Authentication Services
Quest Software offers Quest Authentication Services (formerly Vintela Authentication Services - VAS) for Microsoft Active Directory, integrating Unix/Linux platforms with Microsoft Active Directory. Quest Authentication Services uses Kerberos to protect user credentials. For more information, visit the Quest Software site:
CyberSafe Corporation
CyberSave offers a wide range of Kerberos products and services. The products known as TrustBrokerâ„¢, previously known as Challenger and ActiveTRUST, are Attachmate tested and approved. For more information, visit the CyberSafe Corporation web site:
Hewlett-Packard Company
HP supports Kerberos and offers Kerberos Server Version 2.0 for HP-UX 11i, based on MIT Kerberos v5 Release 1.2.2. For more information, visit the HP web site:
In addition, HP offers Kerberos version 2.0 for OpenVMS Alpha version 7.2-2 and higher, based on the MIT Kerberos v5 Release 1.2.6 (plus security patches provided in Release 1.2.7 and 1.2.8). For more information, visit the HP web site:
Sun Microsystems
Sun supports Kerberos 5 and kerberized application servers with the Sun Enterprise Authentication Mechanism (SEAM) product. This is delivered with Solaris 8, 9, or 10 but can be retrofitted to Solaris 2.6 and 7 operating systems. For more information, visit the Sun web site:
IBM
IBM supports Kerberos 5 and kerberized application servers for AIX 4.3.3, and 5.x and 6.x with the Network Authentication Service version 1.x. It comes packaged with the AIX 4.3.3 Bonus Packs. For more information, visit the IBM web site:
Cygnus Solutions KerbNet
Cygnus produced Kerberos 5 KDC and kerberized application servers. Reflection Kerberos provides support for the KerbNet version 1.2 release, which was a short-lived commercial implementation of the MIT 1.0.2 reference-level UNIX software. This product is no longer available, and there is no support for it. Attachmate has tested and approved the 1.2 release of the KerbNet Kerberos implementation. Cygnus Solution has since merged with RedHat. Source and binary distributions are no longer available for download.
DCE Security Environments
The following companies provide DCE (Distributed Computing Environment) Security environments, which can provide Kerberos 5 credentials for use with Reflection Kerberos. However, these companies' products rely on DCE RPC (Remote Procedure Call) technology alone, and do not include a kerberized Telnet or FTP server. To use these products with kerberized Reflection products, you must have a kerberized application server.
Note that only authentication is available with DCE implementations. Data stream encryption using Kerberos protocol is not supported by DCE servers.
SCO, Inc.
SCO produces Kerberos and DCE products. Their product, SCO DCE Security Server, can be used as a DCE cell security server and as a stand-alone Kerberos server. For more information, contact your local SCO channel partner or visit the SCO web site:
Evaluating Other Vendors
Other vendors provide support for DCE and Kerberos in their products. To use their products with the Reflection Kerberos client, ask for support of IETF RFC 1510 and 2942 compliant Kerberos 5 protocols, a credentials server (Key Distribution Center), and the availability of a kerberized Telnet and/or FTP server.