TCPIP Issues:

NT 5.0 Security - IPSec (handout)

Uses DES or 3DES, 40 bit for export

. Encrypts everything except IP header (breaks firewalls, NAT)
. If you're going to use QOS with MS-IPSec, you must use MS QOS, cause only the IP header is exposed, everything else is "hidden"
. 3 methods of authentication: K5, Certificates, preshared key (password)

Microsoft is working to resolve interoperability issues with Entrust, MS, Verisign servers

Issues: Is there an API for IPSec for NT 5.0?

not yet (beta 2), objective is to first get it to work and then define the API
currently interoperability is problematic - Cisco works best, a few others, then downhill from there
implementation uses ISAKMP internal interface, it can specify Kerberos as the authentication method

NT 5.0 QOS (Tim Moore)

MS saw only 2 things to look at: RSVP & differentiate services

NT 5.0 will provide RSVP support. Used IETF draft to put user id into RSVP (Kerberos support) which allows resource checking per user
NT 5.0 will support packet marking (for core networks)
Will also support 802.1p priority bits (for capable switches)

Does this mean that the NT 5.0 server functions as a bandwidth broker? ( look at the MS ACS - admission control server)

TCPIP Enhancements

MS enhancements fall into 3 areas:

ease of use & manageability
protocol enhancements
performance

Ease of use: Changed the Control Panel Network interface. Now organized network configuration around the notion of "connections", created tool called "Connection Manager" to which you can add services. Also created an API that allows you to query network stack and to perform all the functions of ipconfig.

MS also adding a firewall API to aid in the creation & implementation of NT based firewalls. MS claims you can write a "tcpwrapper" using the firewall API. MS added support to set permissions on a port range (like Unix, where you have to be root to get to ports below 1024). MS also added exclusive control mechanism of a port - for multi-user machines.

A new feature is "Autonet", which allows you to just plug NT 5.0 into the network, and if it cannot find a DHCP service, it will self configure itself to a MS Class B network. This allows you to create a home network of NT & Win98 machines easily. It has other implications in an existing network!

Protocol enhancements:

Added selective acknowledgements, for Ethernet, wireless, etc.
Added large window support , greater than 64K (satellites)
IGMP version 2 is available in NT 4 SP4 & NT 5.0

Performance:

Much of the current hardware is not fast enough to support gigabit ethernet (ISA bus limitations). MS added native ATM support in NT 5.0, either LANE or TCPIP over ATM. MS also added support to offload functions to network card (like checksums, IPSec stuff).

Ip6 available on research.microsoft.com but will not be available with NT 5.0. You can download it and install it into NT 4.0. (this is probably true for NT 5.0 also)

Louis Kahn - Unix Services for NT
>What's in SFU v.1 (services for unix) currently shipping for NT 4.0 (you must have SP4 applied!)

NFS client & server

support for NFS 2 and NFS 3

Case sensitivity
Based on code from Intergraph

Telnet client & server

Supports a new "auth" type (NTLM)

Supports a new terminal type (VTNT the NT console) as well as VT100 ANSI
Plan to support K5 for NT 5.0 (kerberized telnet)

Password Sync

1 way password sync from NT to Unix

supports stand-alone workstation, server, or domain password sync
shipping with HP-UX & Solaris, this requires some code to reside on the unix box

Shell Environment

KORN Shell

Will ship Unix utilities like ls, touch, vi - 25 in all, to allow scripting (license from MKS) (this allows NT administration using VBS, Jscript, & Perl)

License Issues (here's the bad news!)

On NT workstation, telnet server is limited to 1 concurrent connection (requires Client Access License)

NFS server also requires CAL and is limited to 10 concurrent connections when using Workstation

Where is SFU going?

It will provide migration tools from Unix to NT

It will provide full Kerberos support

It will (hopefully) provide SSH support by version 3 (mid-99?)

What's missing?

X Window Server, MS has no plans to do this (right now) as the 3^rd party stuff (Hummingbird) is more than adequate

There is no 2 way password sync (from unix to NT)

There is no NFS gateway, there is no AFS gateway

NT Security - Microsoft

Active Directory becomes the repository for user account information, it replaces the Domain Controller as the backstore for user information. AD (Active Directory) uses core MS Exchange directory components as the basis for the AD LDAP directory service. The Microsoft KDC is also relies upon the Active Directory. NT 5.0 security supports RFC1510 (Kerberos) for authentication.

So what were the target objectives?

Cross platform interoperability for authentication, using MIT K5 source as original code base, MS is testing against MIT KDC as well as MS-KDC

Make it possible to use Unix KDC for a single login for NT workstation

Ensure that non-MS clients can use the NT implementation of the KDC

Part of the delay in shipping NT 5.0 is the interoperability work, MS needs to have MIT compatibility finished. While MS is not implementing any K4 support (doesn't seem to warrant development investment), it is willing to help others , perhaps by helping a customer to enable k4to5 daemon (any volunteers?).

Question

Do you have to implement the MS-KDC if you already have a Unix KDC? Do you have to run the Active Directory? Some implementation facts to consider:

the AD (Active Directory) is required to support the Domain Controller

NT uses the SSPI (like GSS-API), MS stuffs the authorization data in the auth_data portion of the session ticket (which includes an authorization signature), the authorization data signature is ultimately verified against the data in the AD.

Answer:

As long as you don't need to use NT access control lists, you don't need to use the AD. If you do need to use NT access control lists - you better be using AD.

June 9, 1998 - Building 27, Microsoft campus - Redmond

CMU - Project Orpheus Overview (Walter Wong)

CMU uses NT 4.0 in the public sites, no Win95. Created a K4 GINA along with kerberized versions of telnet, ftp, and web access. Created a utility similar to unix "package" called NT package to help with software distribution and maintenance.

CMU is exploring issues related to NT and Unix Kerberos.

CMU is exploring issues related to AFS & NT.

Could we learn more about DNS and NT 5.0?

Stanford - Directory Services (Bob Morgan)

Bob talked about LDAP activities in IETF (see RFC2251-RFC2256).

Extensions currently being proposed:

use of SSL with LDAPv3

LDAPv3 Authentication methods

Dynamic attributes, triggers, paged result sets

Referrals (query gets "referred" to another service)

LDAPv3 C and Java API's

Access control requirements / Model

NOTE: replication is not on the list - though there is some work going on

New Features:

basic "bind" extended (password in the clear) to support SASL (RFC 2222) & TLS
SASL provides support for GSSAPI, Kerberos 5, CRAM-MD5, as well as proxies &gateways

TLS (next version of SSL) which assumes a client certificate (will kerberos support be included? MS said it has no plans to support the Kerberos extensions to TLS)

Consider: LDAP versus:

DNS + Hesiod

Traditional protocols (ph, whois)

DCE CDS (this strikes me as funny)

SQL

(global) file system
Summary:

There will be lots of "LDAP servers", with lots of schemas. Issues remain concerning synchronization vs. referrals vs. integration vs. vertical partitioning. How will you determine an authoritative data source? How will you support junctions to other data spaces? Do you adopt the vendor schema or invest in hammering their product to accept your notions?

ZAW - Microsoft (danpl@microsoft.com)

Goal is to provide:

Support for roaming users (My Documents & Setting)

Support for Software distribution - for Net PC's, allow policy based machine configuration based on the user identity.

Support for installation of software & repair - if you go to launch an app that is missing or has pieces missing, the system will reinstall the missing piece(s) before it launches the application.

The ZAW group is working with other product teams to make MS Apps better "behaved", with fewer "system" components, as most of the ZAW capabilities depends upon ZAW-aware applications.

PKI - Microsoft

No presentation - just here for questions about core PKI & cryptography.

How does PKI & Kerberos interact?

Kerberos useful when well known trust model exists

PKI useful when no known trust model exists (?)

ISS allows mapping from public key to NT Domain (kerberos 5)

Lots of discussion concerning interoperability and chains of trust. Conclusion - it's hard!

Terminal Server - Microsoft

NT originally designed NT 3.1 or this, but (legend says) MS product managers cut it from initial implementation. So, Microsoft licensed NT source code to Citrix & Prologue. As companies began deploying these products (and making $$$), bugs occurred which caused support problems - apps won't run on Citrix (Citrix problem or NT problem?).

MS bought core Citrix code, but not the ICA protocols. Citrix wasn't interested in selling the ICA protocol & MS more interested in using RTP (this is not what you think it is!) to take advantage of existing kernels. Terminal Server will be part of NT 5.0, an install option with NT Server (Terminal Services).

Pricing: MS view is that this is another way to run Windows on a machine, so each desktop will require a Windows license of some kind. This is essentially the same model as Citrix, charging based on clients deployed.

Scaling: 15-25 users per processor, so maybe 60-100 users per NT Server, depending on the level of activity by the user. The applications seem to have the most impact on the scaling properties (not surprising!). MS is still learning how to tune and configure for performance & scaling. MS will shortly produce a white paper on their findings. MS thinks they do as well (or better) than Citrix ICA in terms of performance.

Terminal Server will use AD in NT 5.0 to do load balancing. More performance enhancements for RTP (it is really the T.128 protocol with some modifications, not the IETF described RTP) will show up in NTS (NT Server) 5.0. MS deal with Citrix is that MS will only do Windows Clients until the November 1999. Thus, MS will not publish the RTP protocol until after Nov `99 in order to avoid responsibility for creation of non-Window clients.

MS RTP always encrypts (40 bit) from client to the server. Options will exist for bi-directional encryption and for 128-bit encryption. MS uses an internal MS encryption algorithm, which (he thinks) is published.

The MS RTP client requires a 70K executable, uses 1.5MB memory for caching. It should run on 4MB machine. Having a "good" graphic card on the client helps a lot, since the claim is that most of the client load is in screen painting.

Note: Citrix clients work with both Winframe (Citrix) and the MS Terminal Server.

Active Directory - Microsoft

AD is marketing term for the set of directories shipped with NT 5.0. AD is LDAP compliant, ADSI is a set of interfaces that allow programs to take advantage of AD services (the "ODBC" for directories). So, now for questions:

The AD is composed of a database (Jet Database Engine - the same used for Exchange) and "heads" which sit on top of the Database - LDAP, MAPI, XAPI (XDS), DS.

Support exists to allow permission on a per-attribute basis. This allows restricted access to attributes i.e. HR can see your salary level but no one else is allowed to view this data.

LDIF is supported.

An SQL-like interface is provided for queries & read-only operations

Scaling: have tested up to .5 million objects, around 27 GBytes. Directories of this size cause problems with most administration tools (flat views). MS has implemented "filter" and "find" (LDAP cursor functions).

What won't be in NT 5.0?

No "grafting" support - moving stuff from one directory "tree" to another.

Not much available in graphical tools, a lot of the tools will be command line.

SMTP replication (using encryption) will not be available in beta 2. Will it support SASL?

No support for restoring individual objects.

Is it possible to replace the Jet Database Engine with something else?

NO!

Maybe in the future MS will use SQL Server as the database engine for AD.

Note: MS is working with PeopleSoft, SAP, etc. trying to convince them that the AD is a good place to put things.
What is the Global Catalog?

A view of all the objects & domains in the organization, not all the attributes. The Global Catalog Server can build its own replication schedule. It is a read-only database. It is a place to do quick lookups of users & groups. This might be used to support a white pages service or other read-only services that is only interested in limited scope queries.

NT Futures - Microsoft (Felipe Cabrera)

NT 5.0 will contain 55 million lines of code. (55 thousand KLOCS!)

Advances in Storage Management in NT 5.0.

1. New management of storage device

Plug & play storage (power management)
Removable storage management (tapes, juke boxes, etc.)

improved volume management functions

dynamic volume growth and contraction
volume mount points (not just drive letters)

2. New features in the NTFS file system

dynamic volume growth

defrag of directories (file support in NT 4.0)

dynamic volume dismount
File quotas (hooray!)

ACL check accelerator (NTFS 50% faster)

Reliable change journal (indicates which files have changed, can use for doing incremental backups)

Object ID's

Sparse files

Reparse points - allows IFS to add arbitrary behavior to a file system (like HSM)

Atomic data stream rename

File based services

remote storage - staging the data for archival (uses change journal & reparse points)

replicated storage

content indexing - allows you to "type" files

Extensible service for Automated System Recovery - works with any (capable) ISV backup/restore support

Uses DES or 3DES, 40 bit for export

NT 5.0 QOS (Tim Moore)

MS saw only 2 things to look at: RSVP & differentiate services

TCPIP Enhancements

MS enhancements fall into 3 areas:

support for NFS 2 and NFS 3

Telnet client & server

Supports a new "auth" type (NTLM)

Password Sync

1 way password sync from NT to Unix

Shell Environment

KORN Shell

License Issues (here's the bad news!)

On NT workstation, telnet server is limited to 1 concurrent connection (requires Client Access License)

Where is SFU going?

It will provide migration tools from Unix to NT

What's missing?

X Window Server, MS has no plans to do this (right now) as the 3rd party stuff (Hummingbird) is more than adequate

NT Security - Microsoft

June 9, 1998 - Building 27, Microsoft campus - Redmond

CMU - Project Orpheus Overview (Walter Wong)

CMU uses NT 4.0 in the public sites, no Win95. Created a K4 GINA along with kerberized versions of telnet, ftp, and web access. Created a utility similar to unix "package" called NT package to help with software distribution and maintenance.

Stanford - Directory Services (Bob Morgan)

Bob talked about LDAP activities in IETF (see RFC2251-RFC2256).

ZAW - Microsoft (danpl@microsoft.com)

Goal is to provide:

PKI - Microsoft

No presentation - just here for questions about core PKI & cryptography.

Terminal Server - Microsoft

Active Directory - Microsoft

AD is marketing term for the set of directories shipped with NT 5.0. AD is LDAP compliant, ADSI is a set of interfaces that allow programs to take advantage of AD services (the "ODBC" for directories). So, now for questions:

NT Futures - Microsoft (Felipe Cabrera)

NT 5.0 will contain 55 million lines of code. (55 thousand KLOCS!)

X Window Server, MS has no plans to do this (right now) as the 3^rd party stuff (Hummingbird) is more than adequate