ARCHIVED: Completed project: Kerberos consolidation

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Primary UITS contact: Alan Walsh

Completed: October 16, 2009

Description: For many years, Indiana University has used the Kerberos protocol to authenticate users to computer systems. Over time, multiple implementations of the Kerberos service have been deployed and used by various systems.

Originally launched in 2006, the project aims to consolidate the existing Kerberos implementations into a single service based on Active Directory. In addition to supporting the Kerberos protocol, Active Directory is the primary source of authentication for CAS, university email, network (wireless and VPN) access, and most workstations. Active Directory also contains a rich set of data about people at IU, as well as records related to computers, groups, and other network resources, which is leveraged by enterprise applications such as Oncourse and OneStart.

Outcome: When the project is complete, the redundant Kerberos services will be retired. This includes numerous servers, as well as processes to support and maintain the environment. All of the systems that use Kerberos for authentication will leverage Active Directory for that purpose.

Milestones and status:

  • Project kick-off Completed September 2006
  • CAS authentication migrated to ADS Completed February 2007
  • Enterprise Linux servers migrated to ADS Completed May 2007
  • Webmail/IMAP migrated to ADS Completed May 21, 2009
  • MyPage migrated to ADS Completed May 28, 2009
  • Unlink Group Policy object for Kerberos Completed June 4, 2009
  • Mail relays migrated to ADS Completed June 10, 2009
  • Migrate Research Database Complex (RDC) to ADS Completed June 12, 2009
  • Delete Group Policy Object for Kerberos Completed June 18, 2009
  • Stop creating legacy Kerberos accounts by default Completed July 9, 2009
  • Migrate all remaining non-research systems to ADS Completed September 17, 2009
  • HPSS storage system migrated to ADS Completed September 17, 2009
  • Prepare legacy Kerberos system for retirement Completed September 17, 2009
  • Break trust between realms Completed October 15, 2009
  • Decommission KDCs Completed October 15, 2009

Comment process: Send email to Alan Walsh.

Benefits:

  • Elimination of redundant services
  • Reduction in support costs
  • Greater fault tolerance
  • Consolidation of user credentials (passphrases)

Project team:

  • Alan Walsh
  • Rahul Doshi
  • Jacob Farmer
  • David Bickel
  • Rick Jackson
  • Andy Korty
  • Nate Johnson

Project sponsor:

  • Rob Lowden (EI Systems director)

This is document ayjn in the Knowledge Base.
Last modified on 2018-01-18 16:25:27.