Heads Up! Additional Configuration Required for Windows 7/Windows Server 2008 R2
July 14, 2010 Patrick Botz
If you have a Windows 7 workstation or you are running Windows Server 2008 R2, there is an extra configuration step to enable Kerberos authentication with i5/OS. In these releases, Microsoft no longer enables the DES cipher suites (DES-CBC-MD5 and DES-CBC-CRC) for Kerberos by default. Unfortunately, Kerberos on i5/OS does not support the new default suites used by Microsoft.
A few details about the Kerberos protocol will explain why this change requires additional configuration. The Kerberos protocol negotiates the cipher suites used to build Kerberos tickets. When a client requests a Kerberos ticket, it includes a list of cipher suites it supports. The Kerberos server compares this list with its own list of supported cipher suites. The first match found is the cipher suite used to build the ticket. If there is no match, the server uses its default suite.
The cipher suites supported by i5/OS for Kerberos are:
i5/OS enables DES-CBC-CRC and DES-CBC-MD5 by default. You can choose to enable either of these suites in any order, providing, of course, that at least one of them is also supported by the KDC (i.e., Key Distribution Center or Kerberos server) used in your network.rnThe following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2:
You will notice that there are no enabled suites common to both the Microsoft environments and i5/OS. Fortunately, this is easily solved by enabling DES-CBC-MD5 and DES-CBC-CRC on Windows 7 and Windows Server 2008 R2.
To add DES-CBC-CRC and DES-CBC-MD5 to Windows 7 or Windows Server 2008 R2, change the “Network security: Configure encryption types allowed for Kerberos” policy setting. On Windows 7 you can do this by executing gpedit.msc and expanding “Local Computer Policy” > “Computer Configuration” > “Windows Settings” > “Security Settings” > “Local Policies” > “Security Options” > “Network security: Configure encryption types allowed for Kerberos.” Once there, double-click “Network security: Configure encryption types allowed for Kerberos.” Select “DES_CBC_MD5 and DES_CBC_CRC.”
DES-CBC-CRC is vulnerable to certain types of attacks, but it is supported–either by default or with additional configuration–by all Kerberos servers. DES-CBC-MD5 is a bit better than DES-CBC-CRC and it is widely supported by Kerberos servers. One must remember to put these vulnerabilities in perspective. For example, if you accept PUBLIC *USE or higher as the default authority of newly created objects, you are accepting much more risk than those posed by using either of these encryption suites to protect your Kerberos tickets. In addition, Kerberos tickets are relatively short-lived (and their lifetime can be reduced). Therefore, the window in which they must be captured for future manipulation is relatively small. The risk is not equivalent to that you would incur if you used these suites to protect permanently stored data.
i5/OS allows you mange the order of the supported suites. Putting DES-CBC-MD5 ahead of DES-CBC-CRC will ensure the slightly better suite will be used for any servers that support both. In iSeries Navigator, expand “Security,” right-click on “Network Authentication Service,” and select “Properties.” On the window that pops up, select the “Tickets” tab. Remove DES-CBC-CRC and re-add it using the “Add after” button.
The following website provides the information about the new Microsoft encryption suite defaults for Kerberos: http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
Patrick Botz is the principal consultant and founder of Botz & Associates Inc. He is also president of Valid Technologies, LLC, a biometric middleware ISV. Pat spent nearly 20 years working at IBM in various security roles including lead IBM i security architect, IBM eServer security team, and the head of IBM Lab Services Security Consulting practice. Check out his Website at www.botzandassociates.com. Send your questions or comments for Patrick to Ted Holt via the IT Jungle Contact page.