Indiana University
University Information Technology Services
  
What are archived documents?

At IU, what are the various Kerberos realms?

There are currently three different Kerberos realms at Indiana University:

IU.EDU

This realm replaces the UCS.INDIANA.EDU and IUPUI.EDU realms, which were retired on November 3, 2003. Use the IU.EDU realm wherever possible. It is an MIT Kerberos realm maintained by the University Information Security Office (UISO).

When logging into a Windows computer in IU's Active Directory, you can authenticate using the Kerberos IU.EDU realm if you choose IU.EDU (Kerberos realm) from the "Log on to:" drop-down list (right below the "Password:" field).

Note: If you have been at the university since before January 2002 and have not changed your passphrase since then, reset your passphrase at the Passphrase Maintenance utility to avoid IU.EDU login difficulties. Visit:

https://passphrase.iu.edu/

ADS.IU.EDU

This Active Directory realm maintained by the UITS Messaging Team has a two-fold purpose. First, Kerberos-authenticated Windows services may reside in this realm, which has a cross-realm trust with the IU.EDU realm. That means that anyone authenticated to the IU.EDU realm can access services in the ADS.IU.EDU realm without re-authenticating.

For now, this realm contains usernames and passphrases to provide authentication services for Windows systems that don't support Kerberos (e.g., Windows 95, 98, NT 4, and Me). But when these systems are no longer supported by UITS and the Office of the Vice President for Information Technology, the passphrases will be removed, and all authentication will be done via IU.EDU.

UCS.INDIANA.EDU and IUPUI.EDU

The UCS.INDIANA.EDU and IUPUI.EDU realms were retired on November 3, 2003. Use the IU.EDU realm instead.

Restricting access to services by campus

Kerberos should be used only for authentication, not authorization. To allow only users from a particular campus to access a service, you can't rely on Kerberos alone. In other words, you can use the IU.EDU Kerberos realm to determine whether users are who they say they are, but use some other service to determine what those users are allowed to access. The Enterprise Directory Service (EDS) offers some authorization services and will be offering more in the future.

This is document alje in domain all.
Last modified on June 26, 2008.
Please tell us, did you find the answer to your question?