Microsoft revises Win 2000 security stance

After three years of criticism, Microsoft has finally published a royalty-free version of a key authorization data format that has been the center of interoperability concerns surrounding "standards-based" Kerberos security in Windows 2000.

But experts are still unsure if Microsoft's effort goes far enough to ensure that companies can deploy standards-based Kerberos Key Distribution Center (KDC), a central point for authenticating users and authorizing use of computing resources.

Industry experts and IT executives have complained that Microsoft created a Windows-centric Kerberos that can't interoperate on an authorization level with Unix-based Kerberos servers, leaving them no choice but to run Microsoft's Kerberos server.

"Microsoft has given us half a loaf," says Jeff Schiller, security area director for the Internet Engineering Task Force (IETF). "They haven't given us what we want. What we want is to run a KDC on a non-Microsoft platform."

Microsoft officials say they will only offer the specification on the authorization data format, called a Privilege Access Certificate (PAC), and not a recipe to clone its KDC.

IT executives and security experts have been pleading with Microsoft to publish the PAC, which is used to insert Windows Secure ID information that bounds Kerberos tickets to Windows access control lists.

Microsoft appears to have consented to some degree because it says it hopes to use Kerberos to support the creation of a web of trusted authentication services across the Internet to support its .Net strategy.

Customers have complained that the PAC, which previously has not been publicly available for commercial use, causes interoperability problems between Unix-based Kerberos implementations and Win 2000 by tying authorization credentials to Microsoft's version of Kerberos.

"If indeed this solves the problem, that would be nice," says Al Williams, director of distributed systems group at Penn State University in State College. "But I'm not convinced yet."

Last week, Microsoft loosened the reins by releasing the PAC specification and offering its use royalty-free.

"We are taking the information from the PAC that deals with group membership and publishing it as an informational [request for comment] within the IETF," says Adam Sohn, product manager for the .Net platform strategy. The PAC was submitted Feb. 22. "Windows does authorization based on group membership, and we are saying here's how we do it." But Sohn says not all of the PAC is being published. "We want to enable interoperability, but we don't want to enable cloning of our KDC or domain controller."

Schiller says the problem with the PAC is that it has too many fields marked "reserved," which means users can't determine what is happening. "We've analyzed traffic moving on their KDC, and we don't know what is in these reserved fields. So could one really build a Kerberos server? No."

And Microsoft's intentions aren't all altruistic in the matter. Microsoft is focused on "federation" of identity management services, the concept of creating a federation of trust between different authentication services in a distributed network, like in a bank's automated teller machine network.

Microsoft in September announced that its Passport identity management service would use Kerberos to develop this federation of trust for authentication.

At the same time, the Liberty Alliance, which was launched by Sun and about 40 other companies, announced a competing identity management system.

"In this world where networks will become federated, we have to solve the trust issue," Microsoft's Sohn says. "Opening up the PAC is an important first step in doing that."