Kerberos

Supported Product

Kerberos is a network authentication protocol developed by MIT and is used at Penn as a means to authenticate to various applications or services.

Kerberos for Windows 3.2.2 is the recommended Kerberos ticket manager for Windows 7, Windows Vista, and Windows XP.  This version of Kerberos for Windows has been configured to include the profile for the University's Key Distribution Center (KDC).

Kerberos for Macintosh is the recommended Kerberos ticket manager for OS X (versions 10.5.8 and above) and is included in the current default installations of University supported versions of the OS X.

Download

Windows

Kerberos for Windows is available free of charge to members of the Penn community. Kerberos for Windows is available for download using your PennKey and password.

OS X

Kerberos for Macintosh preferences installer is available free of charge to members of the Penn community and is available for download using your PennKey and password.

Windows compatibility

Kerberos for Windows 3.2.2 functions correctly in Windows 8.

OS X compatibility

The Kerberos for Macintosh preferences installer function correctly in all supported versions of OS X.

Documentation

The following documentation is available for this product:

Related resources

Kerberos for Windows 3.2.2

Kerberos for Windows 3.2.2 has been configured to include the profile for the University's KDC.  No further configuration is necessary.

Kerberos for Macintosh

The Kerberos for Macintosh preferences installer has been configured to include the profile for the University's Key Distribution Center (KDC). No further configuration is necessary.

Configuring HostExplorer for Kerberos

When you install HostExplorer for Windows after downloading it from the Supported Products site, pre-configured Penn Telnet profiles appear when you first launch HostExplorer. If, however, the Telnet destination you want does not appear in the HostExplorer Open Session window, you can use the instructions below to add the new Telnet site, and then configure that profile for the Kerberos environment.

Notes:

  • Before configuring HostExplorer to run Telnet in a Kerberos environment, check with your Local Support Provider (LSP) to ensure your School, department, or administrative unit supports Kerberos.
  • Ensure Kerberos client software is installed on your computer.

To create a new, Kerberos-enabled Telnet profile:

  1. Start HostExplorer (StartAll ProgramsHummingbird Connectivity 2006HostExplorer).The Open Session window displays.
  2. In the Open Session window, click the Hummingbird icon, which is the middle, multi-colored icon located in the upper-right corner of the window. The New Profile window displays.
  3. In the Profile Name field, type the name or a description of the Telnet destination (for example, type Telnet to pobox.upenn.edu), then in the Host Name field at the bottom of the window, type the name of the host (for example, pobox.upenn.edu).
  4. Click OK to return to the Open Session window.
  5. In the Open Session window, under the Profile Name column, the Telnet site that you just created is highlighted. Right-click the highlighted telnet session, then select Properties from the dropdown list. The Session Profile window appears with the name you typed in the Profile Name field in step 3.
  6. Under the Categories: column, click the plus symbol (+) beside the Security option to expand it, then select General to display the contents of the General tab in the right panel of the window.
  7. In the General window, select the Kerberos radio button, but do not click OK yet.  (Note: In order to select the Kerberos option you must have already installed Leash32 2.6.x on your machine. If you have not installed Leash, quit HostExplorer, install Leash, and then return to HostExplorer.)
  8. Click the Kerberos tab at the top of the Session Profile window to display its contents.
  9. In the Kerberos window, ensure the Kerberos Version field displays with Version 5, then click the Authentication checkbox to activate it. (Do not activate the Encryption checkbox).
  10. You can now click OK to save your Kerberos configuration.
  11. To connect to your Kerberized profile, you must first obtain a Kerberos ticket.

Note: If you are using HostExplorer 11.0.1.0 or any Kerberized application for the first time, refer to the documents at How to Use Your PennKey for information on how to get set up and work in a Kerberized environment.

Configuring dataComet-Secure 10.1.x for Kerberos (OS X)

Once configured for Kerberos, dataComet-Secure 10.1.x supports Kerberized Telnet connections.  The documentation below provides instructions for configuring a new Kerberos-enabled Telnet profile and reconfiguring an existing profile for Kerberos-enabled Telnet

Note: Before configuring dataComet-Secure 10.1.x to run in a Kerberos environment, check with your Local Support Provider (LSP) to ensure your School, department, or administrative unit supports Kerberos and ensure that Kerberos client software (Kerberos for Macintosh) is installed on your computer.

Configuring a new Kerberos-enabled Telnet Profile

  1. Launch dataComet-Secure 10.1.x from your Applications folder (Go → Applications → dataComet-Secure 10.1.x → dataComet-Secure).
  2. From the File menu, select New, then select Terminal Session... from the dropdown menu. The Configure Terminal Session window displays.
  3. In the Configure Terminal Session window:
  4. In the Window Name filed, type a description of your Telnet destination (for example, type My Telnet to pobox.upenn.edu)
  5. Under the Session Type section, click the Telnet radio button.
  6. In the Connect to: field that's located at the bottom of the window, type the Telnet destination (for example, type pobox.upenn.edu)
  7. Click the Configure... button that's right across from the Telnet radio button. Another Configure Terminal Session window displays.
  8. In the Configure Terminal Session window, click the Authentication and the Encryption checkboxes; then click OK.
  9. Click OK to connect to the Telnet destination.
  10. If prompted, enter your Pennkey name and Password at the Kerberos prompt.
  11. Once you are connected to the Telnet destination, from the File menu select Save Configuration...
  12. When the Save Configuration In dialog box appears, type a name for the session in the Save As: field and either save the session to the folder as displayed in the dropdown menu or choose another directory in which to save the current Telnet configuration; then click Save.
  13. To log into your Telnet session, from the File menu, select Sessions, then select the desired profile.
  14. To quit a session, from the File menu, select Close menu.
  15. To quit the application, press the Command-Q keys or select Quit from the dataComet-Secure menu.
  16. If you are using dataComet-Secure 10.1.x or any other Kerberized application for the first time, please refer to the documents at How to Use Your PennKey for information on how to get set up and work in a Kerberized environment.

Reconfiguring an existing profile for Kerberos-enabled Telnet

  1. Launch dataComet-Secure 10.1.c from your Applications folder (Go → Applications → dataComet-Secure X 10.1.x → dataComet-Secure).
  2. From the File menu, select Sessions, then select the profile you want to change.
  3. From the Window menu, select Reconfigure Session...
  4. Click the Telnet radio button, then click the Configure... button.
  5. In the next displayed window, click the Authentication and the Encryption checkboxes, then ensure that the Authentication field displays Kerberos 5 (leave the remaining fields as is), and click OK.
  6. Click OK again to open your Telnet session.
  7. From the File menu, select Save Configuration...
  8. When the dialog box to save the session configuration appears, choose the directory in which to save the reconfigured Telnet profile, then click Save.
  9. When the replace file prompt displays, click Replace. The specified profile is now reconfigured for Kerberos-enabled Telnet.
  10. To use dataComet-Secure or any Kerberized application, refer to the documents at How to Use Your PennKey for information on how to get set up and work in a Kerberized environment.

Kerberos for Macintosh

The default version of this installer (available from the Kerberos for Macintosh Supported Products Page) attempts to detect for the use of Microsoft's Active Directory. This is done because installing the Penn Kerberos profile in an Active Directory environment will cause a loss of network connectivity.

In some cases, the default version of this installer will have a "false positive"—in other words, it will believe that the Macintosh is in an Active Directory environment when it is not. In this case, Information Systems & Computing (ISC) suggests using Custom Install within this installer.

Print This Page Share:
Date Posted: May 29, 2013 Tags: Provider Resource, Supported Product, Security

Was this information helpful?

Login with PennKey to view and post comments