OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
From: Paul Leach (paulleEXCHANGE.MICROSOFT.COM)
Date: Fri Mar 10 2000 - 16:15:19 CST

See below.

> -----Original Message-----
> From: Scott Morizot [mailto:tmorizotADC.IS.IRS.GOV]
> Sent: Tuesday, March 07, 2000 5:59 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
>
>
> Hello Russ,
>
> It had been a while since I had seen anything about BIND and
> Win2000 GSS-
> TSIG interoperability from the ISC. So after the topic came up on
> NTBugTraq, I raised the question again on the bind-users
> list. Below is
> the response from David Conrad, Executive Director of the
> ISC. I think
> it clarifies the issues pretty well. The initial question
> and a response
> from, I believe, Stuart at Microsoft have already gone out on
> this list.
> This response from the ISC should round out the perspectives on the
> issue. At any rate, I thought I would forward it for your
> consideration.
>
> Scott Morizot
>
>
> Forwarded with permission:
>
> ---------- Forwarded message ----------
> Date: Sun, 05 Mar 2000 01:22:50 -0800
> From: David R. Conrad <David.Conradnominum.com>
> To: bind-usersisc.org
> Subject: Re: Win2000 and BIND GSS-TSIG Interoperability?
>
> Scott,
>
> Sorry for the slow reply, I'm on travel right now.
>
> > I recall past discussions
> > on this list where some at the ISC had indicated that
> > Microsoft had released insufficient details about
> > their GSS extensions to TSIG to allow interoperability
> > for secure dynamic updates to be built into BIND.
>
> We have been unable to determine whether or not it is
> possible to implement
> Microsoft's GSS-TSIG DNS extension that does not require the use of
> Microsoft's version of Kerberos to be a "first class citizen"
> in Microsoft's
> DNS architecture. From the numerous press reports (e.g.,
> http://dailynews.yahoo.com/h/zd/20000228/tc/20000228169.html),
> it doesn't look
> too good.

Well, despite the claim that from that article that "existing users of
Kerberos on Unix systems in the financial industry or academic community -
where Kerberos is predominantly found - 'are in a place of hurt,'", Morgan
Stanley seems to be doing OK:
http://www.microsoft.com/PressPass/press/2000/Jan00/CyberSafePR.asp

None of the Microsoft extensions to Kerberos are needed to implement an
interoperable BIND server using GSS-TSIG.
An implementation that does standard Kerberos, that does not understand the
extensions, can safely ignore them.
We do such interoperability testing as part of our release process.

The most controversial extension uses a field, which was designed to be
extended but not normally used, to hold a list of groups of which the client
user is a member. The field is documented in the Kerberos standard to be
ignored if not understood. The format of the data MS Kerberos puts in it is
not documented. However, a standard Kerberos server using the GSSAPI does
not expect this field from a standard Kerberos client, and hence does not
need to to operate correctly, so if it follows the standard and ignores it,
it will operate correctly.

See the following for information on Kerberos interop:
http://www.microsoft.com/WINDOWS2000/library/planning/security/kerbsteps.asp
And this for general information on Kerberos:
http://www.microsoft.com/WINDOWS2000/library/howitworks/security/kerberos.as
p