Completed project: Kerberos consolidation

Primary UITS contact: Alan Walsh

Completed: October 16, 2009

Description: For many years, Indiana University has used the Kerberos protocol to authenticate users to computer systems. Over time, multiple implementations of the Kerberos service have been deployed and used by various systems.

Originally launched in 2006, the project aims to consolidate the existing Kerberos implementations into a single service based on Active Directory. In addition to supporting the Kerberos protocol, Active Directory is the primary source of authentication for CAS, university email, network (wireless and VPN) access, and most workstations. Active Directory also contains a rich set of data about people at IU, as well as records related to computers, groups, and other network resources, which is leveraged by enterprise applications such as Oncourse and OneStart.

Outcome: When the project is complete, the redundant Kerberos services will be retired. This includes numerous servers, as well as processes to support and maintain the environment. All of the systems that use Kerberos for authentication will leverage Active Directory for that purpose.

Milestones and status:

  • Project kick-off Completed September 2006
  • CAS authentication migrated to ADS Completed February 2007
  • Enterprise Linux servers migrated to ADS Completed May 2007
  • Webmail/IMAP migrated to ADS Completed May 21, 2009
  • MyPage migrated to ADS Completed May 28, 2009
  • Unlink Group Policy object for Kerberos Completed June 4, 2009
  • Mail relays migrated to ADS Completed June 10, 2009
  • Migrate Research Database Complex (RDC) to ADS Completed June 12, 2009
  • Delete Group Policy Object for Kerberos Completed June 18, 2009
  • Stop creating legacy Kerberos accounts by default Completed July 9, 2009
  • Migrate all remaining non-research systems to ADS Completed September 17, 2009
  • HPSS storage system migrated to ADS Completed September 17, 2009
  • Prepare legacy Kerberos system for retirement Completed September 17, 2009
  • Break trust between realms Completed October 15, 2009
  • Decommission KDCs Completed October 15, 2009

Comment process: Send email to Alan Walsh.

Benefits:

  • Elimination of redundant services
  • Reduction in support costs
  • Greater fault tolerance
  • Consolidation of user credentials (passphrases)

Project team:

  • Alan Walsh
  • Rahul Doshi
  • Jacob Farmer
  • David Bickel
  • Rick Jackson
  • Andy Korty
  • Nate Johnson

Project sponsor:

  • Rob Lowden (EI Systems director)

This is document ayjn in the Knowledge Base.
Last modified on 2015-09-30 00:00:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.