RE: [ActiveDir] Using Security Configuration Template instead of Ksetup...
Lara, I am trying to refresh my memory since I had to perform the same steps while rebuilding our test environment a while back. Basically, we had to do it in 2 steps in the order listed below. 1. Create and import a custom ADM template that predefines the Kerberos REALM key in the registry. This insures that the REALM name is created in UPPERCASE. If you try doing this in SCEREGVL.INF file, the realm name is created, but in lowercase. Proceed to step 2 once the registry key has been propagated. 2. Edit the SCEREGVL.INF file and add the specific entries for your KERBEROS realm. Once you reload the file, the settings will show up under the Computer Configuration node within Windows Settings\Security Settings\Local Policies\Security Options. I have added the sample ADM file and entries for the Security Configuration Editor file below. Also, if you haven't already, you may also want to look at the NSA Windows 2000 Security Configuration guides at: http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1 I hope this helps. Arden ***ADM FILE*** Class MACHINE Category !!AdministrativeServices Category !!Kerberos Policy !!SetRealmFlags Keyname "System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM" Explain !!SetRealmFlags_Help Part !!RealmFlags Numeric Required Valuename "RealmFlags" Default 8 End Part End Policy End Category ;;Kerberos End Category ;;AdministrativeServices [strings] AdministrativeServices="System" Kerberos="Kerberos RealmFlags" RealmFlags="RealmFlags value" SetRealmFlags="Set YOURREALM.COM Kerberos RealmFlags variable" SetRealmFlags_Help="Creates the realm name variable key for YOURREALM.COM and allows referrals to work properly.\n\nThis key is created to allow the security policy defining the KDC mappings for the realm to have the proper realm name variable in the registry.\n\nThe value set here (RealmFlags) allows proper referrals from the MIT-based Kerberos realm. See http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html"; ;End of Strings **SCEREGVL.INF file [Register Registry Values] ; Kerberos ; == ; http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95146.htm ; http://www.microsoft.com/windows2000/techinfo/reskit/en/regentry/95141.htm MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ KpasswdNames,7,%Kpasswd%,4 MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM\ KdcNames,7,%Knames%,4 ; == [Strings] ; === YOURREALM = Kpasswd = "Kerberos: YOURREALM.COM realm Change Password Protocol Servers (YOURREALM)" Knames = "Kerberos: YOURREALM.COM realm KDC servers (YOURREALM)" > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto > Sent: Wednesday, April 14, 2004 1:53 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Using Security Configuration Template > instead of Ksetup... > > Hello, > > In 'Step-by-step Guide to Kerberos 5 Interoperability' > document, it is stated as follows: > "To deploy realm configuration data to multiple computers, > use the security configuration template mechanism instead of > using Ksetup explicitly on individual computers" > > Is there any good document / howto about how to use security > configuration template to achieve the same results as ksetup ? > > I've been reading some of microsoft knowledge articles such > as: How to add custom registry settings to security > configuration editor, how to create custom administrative > templates in windows 2000, etc..but I haven't got a clear > picture of how it can be done using security configuration template. > > This is the part that I don't understand: > "Once the Sceregvl.inf file has been modified and registered, > your custom registry values are exposed in the SCM UI's on > that machine. You can then create security templates or > policies that define your new registry values. These > templates or policies can then be applied to any machine > regardless of whether Sceregvl.inf has been modified on the > target machine or not." (taken from Microsoft's article: How > to add custom registry settings to security configuration > editor). Is SCM the same as security configuration tool and analysis ? > > Well...from reading the article, my guess is that I will need > to update sceregvl.inf, register the changes by doing > 'regsvr32 scecli.dll', and also change the group policy. > > Anyway, I've tried to update sceregvl.inf but it didn't work > :-( The changes didn't seem to be reflected in the registry > editor as what usually happen using ksetup. > > -lara- > > = > ---
RE: [ActiveDir] Using Security Configuration Template instead of Ksetup...
Arden, Thank you VERY much for taking time to answer my question. You have provided a very clear explanation... I've tried it and it works like magic :-) I have even added registries for the Group Policy Refresh, as explained in http://www.jsiinc.com/sube/tip2100/rh2184.htm so that any changes made on the registries we added in the Group Policy Object will be reflected on the machines in the domain. I've tested it, and it looks okay. However, I notice that the group policy refresh doesn't apply when you undefined the value of the registry (for example changing KdcNames from kerberos.lara.com to Not defined) or if you try to remove the registry (for example removing KdcNames). I've tried rebooting the machine that serves as the DC, as well as rebooting the client machine (which is the member of the domain), but it didn't work. I've tried the following way as well: - rename the secedit.sdb file to "secedit.old" - run secedit /refreshpolicy machine_policy /enforce The new secedit.sdb is created successfully, the the registries that I've been trying to remove are still there (in Computer Configuration mode windows settings\securitysettings\local policies\security options). I wonder if you have the same experience as me... By the way, I have another problem that you might have encountered as well... I have w2k client which authenticates to a Kerberos Realm. This works perfectly. I have also configured a cross-realm authentication between the Kerberos Realm and a w2k domain so that (based on the following articles: Step by step Guide to Kerberos 5 Interoperability and Windows 2000 compatibility section of Heimdal manual). So, when the w2k client (which is in a Kerberos Realm domain) wants to access another machine in another domain (which is a w2k domain), it will sends a request for cross-realm referral to the Kerberos Realm KDC, and the KDC should be able to give a referral ticket. The problem is that win2k machine sends request in short names instead of in FQDN (host/foo.example.org will be sent as host/foo, as explained in 'Implementation of Crossrealm Referral Handling in the MIT Kerberos Client' by Michael Swift, Irina Kosinovsky, and Johathan Trostle), hence the burden to find the correct realm of the requested server falls to the KDC. When I debug the code, I found out that for host/foo, the KDC will try to find a match in [domain_realm] section of krb5.conf or DNS lookup for foo. In this way I have to provide a one-to-one mapping of foo to the correct realm (foo = W2K.COm for example). Imagine if you have so many machines in one domain, with so many service available and you have to provide a one to one mapping of the hostname / service name to its realmIt's not so practical, isn't it ? The better and correct way (to me) is to provide mapping of domain name of the service/hostname to its realmBut I don't know whether this is possible, and if yes...how to do it. Do you encounter this problem ? If yes, how did you solve it ? By the way, I'm using Heimdal. Once again, thanks a lot !! -lara- PS: By the way is there any guidelines on how to determine the value of the GroupPolicyRefreshTime and GroupPolicyRefreshTimeOffset ? --- Arden Pineda <[EMAIL PROTECTED]> wrote: > Lara, > > I am trying to refresh my memory since I had to > perform the same steps while > rebuilding our test environment a while back. > Basically, we had to do it in > 2 steps in the order listed below. > > 1. Create and import a custom ADM template that > predefines the Kerberos > REALM key in the registry. This insures that the > REALM name is created in > UPPERCASE. If you try doing this in SCEREGVL.INF > file, the realm name is > created, but in lowercase. Proceed to step 2 once > the registry key has been > propagated. > > 2. Edit the SCEREGVL.INF file and add the specific > entries for your > KERBEROS realm. Once you reload the file, the > settings will show up under > the Computer Configuration node within Windows > Settings\Security > Settings\Local Policies\Security Options. > > I have added the sample ADM file and entries for the > Security Configuration > Editor file below. > > Also, if you haven't already, you may also want to > look at the NSA Windows > 2000 Security Configuration guides at: > > http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1 > > I hope this helps. > > Arden > > ***ADM > FILE*** > Class MACHINE > Category !!AdministrativeServices > Category !!Kerberos > Policy !!SetRealmFlags > Keyname > "System\CurrentControlSet\Control\Lsa\Kerberos\Domains\YOURREALM.COM" > Explain !!SetRealmFlags_Help > Part !!RealmFlags Numeric Required > Valuename "RealmFlags" > Default 8 > End Part > End Policy > End Category ;;Kerberos > > End Category ;;AdministrativeServices > [strings] > AdministrativeServices="System" > Kerberos="Kerberos RealmFlags" > RealmFlags="RealmFlags value" > SetRealmFlags="Set YOURREALM.COM Kerbero
RE: [ActiveDir] Using Security Configuration Template instead of Ksetup...
Lara, I haven't really spent any time trying to undo the kerberos entries created by the custom admin template, so I don't have any useful input at this point. I'll see if I can take a look at this at some point in time. As for your problem with the Service Principal names, we do not encounter this issue since we pre-populate the ServicePrincipalName attribute of all member machines to include the following: HOST/hostname HOST/hostname.domainsuffix We do this using a script that pre-creates the computer accounts and populates the necessary attributes. Administrators have to run this script from a member machine before joining new machines to the domain. If you are interested, here is the link to the create computer script on our website: http://calnetad.berkeley.edu/documentation/scripts Hope this helps. Arden > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto > Sent: Friday, April 16, 2004 5:47 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Using Security Configuration > Template instead of Ksetup... > > Arden, > > Thank you VERY much for taking time to answer my question. > You have provided a very clear explanation... > I've tried it and it works like magic :-) > > I have even added registries for the Group Policy Refresh, as > explained in http://www.jsiinc.com/sube/tip2100/rh2184.htm so > that any changes made on the registries we added in the Group > Policy Object will be reflected on the machines in the > domain. I've tested it, and it looks okay. > > However, I notice that the group policy refresh doesn't apply > when you undefined the value of the registry (for example > changing KdcNames from kerberos.lara.com to Not defined) or > if you try to remove the registry (for example removing KdcNames). > > I've tried rebooting the machine that serves as the DC, as > well as rebooting the client machine (which is the member of > the domain), but it didn't work. > I've tried the following way as well: > - rename the secedit.sdb file to "secedit.old" > - run secedit /refreshpolicy machine_policy /enforce The new > secedit.sdb is created successfully, the the registries that > I've been trying to remove are still there (in Computer > Configuration mode windows settings\securitysettings\local > policies\security options). I wonder if you have the same > experience as me... > > By the way, I have another problem that you might have > encountered as well... > I have w2k client which authenticates to a Kerberos Realm. > This works perfectly. I have also configured a cross-realm > authentication between the Kerberos Realm and a w2k domain so > that (based on the following > articles: Step by step Guide to Kerberos 5 Interoperability > and Windows 2000 compatibility section of Heimdal manual). > > So, when the w2k client (which is in a Kerberos Realm > domain) wants to access another machine in another domain > (which is a w2k domain), it will sends a request for > cross-realm referral to the Kerberos Realm KDC, and the KDC > should be able to give a referral ticket. > > The problem is that win2k machine sends request in short > names instead of in FQDN (host/foo.example.org will be sent > as host/foo, as explained in 'Implementation of Crossrealm > Referral Handling in the MIT Kerberos Client' by Michael > Swift, Irina Kosinovsky, and Johathan Trostle), hence the > burden to find the correct realm of the requested server > falls to the KDC. When I debug the code, I found out that for > host/foo, the KDC will try to find a match in [domain_realm] > section of krb5.conf or DNS lookup for foo. In this way I > have to provide a one-to-one mapping of foo to the correct > realm (foo = W2K.COm for example). Imagine if you have so > many machines in one domain, with so many service available > and you have to provide a one to one mapping of the hostname > / service name to its realmIt's not so practical, isn't it ? > The better and correct way (to me) is to provide mapping of > domain name of the service/hostname to its realmBut I > don't know whether this is possible, and if yes...how to do it. > > Do you encounter this problem ? If yes, how did you solve it > ? By the way, I'm using Heimdal. > > Once again, thanks a lot !! > -lara- > > PS: By the way is there any guidelines on how to determine > the value of the GroupPolicyRefreshTime and > GroupPolicyRefreshTimeOffset ? > > --- Arden Pineda <[EMAIL PROTECTED]> wrote: > > Lara, > > > > I am trying to refresh my memory since I had to perform the > same steps > >
