Re: Cannot Create A Web Site
am 03.04.2008 06:26:41 von Le Chaud LapinOn Apr 2, 9:29=A0pm, "Ken Schaefer"
wrote:
> Microsoft has an enormously simple Kerberos implementation. You just insta=
ll
> AD. You add your machines to the domain. And away you go. Everything is
> taken care of for you. It works for hundreds of millions of machines with
> most people not have any idea that its even there. The total number of oth=
er
> non-Windows Keberos implementations are probably just a rounding error.
As I mentioned, I did study Kerberos in sufficient detail not long
after it was out, and as I recall, there are certain things about it
that are not going to me made less complex not matter what the
"implementation." The model itself is complex.
In any case, I think a quick visit to the Kerberos USENET group will
reveal that there are people there with 20+ software engineering
experience, engineering knowledge of cryptographic primitives, strong
practical knowledge of computer networking, and general knowledge of
programming...and they still ask questions and wait several days for
the right answer. Do you call that "enormously simple"?
A review of a (thick) book on Kerberos:
http://www.oreilly.com/catalog/kerberos/#top
"Kerberos, the single sign-on authentication system originally
developed at MIT, deserves its name. It's a faithful watchdog that
keeps intruders out of your networks. But it has been equally fierce
to system administrators, for whom the complexity of Kerberos is
legendary. Single sign-on is the holy grail of network administration,
and Kerberos is the only game in town. Microsoft, by integrating
Kerberos into Active Directory in Windows 2000 and 2003, has extended
the reach of Kerberos to all networks large or small. Kerberos makes
your network more secure and more convenient for users by providing a
single authentication system that works across the entire network. One
username; one password; one login is all you need. Fortunately, help
for administrators is on the way. Kerberos: The Definitive Guide shows
you how to implement Kerberos for secure authentication. In addition
to covering the basic principles behind cryptographic authentication,
it covers everything from basic installation to advanced topics like
cross-realm authentication, defending against attacks on Kerberos, and
troubleshooting. In addition to covering Microsoft's Active Directory
implementation, Kerberos: The Definitive Guide covers both major
implementations of Kerberos for Unix and Linux: MIT and Heimdal. It
shows you how to set up Mac OS X as a Kerberos client. The book also
covers both versions of the Kerberos protocol that are still in use:
Kerberos 4 (now obsolete) and Kerberos 5, paying special attention to
the integration between the different protocols, and between Unix and
Windows implementations. If you've been avoiding Kerberos because it's
confusing and poorly documented, it's time to get on board! This book
shows you how to put Kerberos authentication to work on your Windows
and Unix systems. "
"equally fierce to system administrators..."
"complexity of Kerberos is legendary.."
"confusing and poorly documented."
I used Google to search for "Kerberos+complex" and it returned over 1
million hits. But maybe that's not fair. Maybe the "complex" is for
complex numbers used in some ciphers, so I typed in something more
specific:
"kerberos is a complex"
That yielded over 3,000 hits.
"kerberos is complex"
That yield 228 hits.
A bit of objectivity is in order, don't you think?
Maybe the author and I and all those frustrated people in the Kerberos
group have different ideas of what is "enormously simple" than you.
> > Perhaps Microsoft executives might have shared this highly lucrative
> > sentiment while committing to Kerberos as a security platform.
>
> Yeah - whatever. Kerberos is a robust, proven platform. If it's too
> complicated for you - too bad. PKI isn't any simpler.
I have only been doing research in PKI for over a decade now, and
PKI, if done right, is a *lot* simpler than these other systems. In
fact, the reason that many of the alternatives are awkward is because
of lack of proper PKI, which of course, implies that other related
things must be "proper". Kerberos itself was augmented with public-
key cryptography too.
Microsoft Research could take the lead in figuring these things out.
And no, I don't mean something like Passport, I mean something that is
a little less hackish. If I get to login once on my PC, and never
have to enter another username/password combination _anywhere_, not
for WebDAV, not for Network Neighborhood, not for SQL Server, Not for
IIS, or any website,...well then...then you know you've found a quasi-
terminal solution to the problem.
> > Whether they are deliberately leaving their access control models in
> > such a mess is debatable however, but who knows..
>
> Again - your lack of understanding does not constitute a mess.
It's true...I do not understand why it took 167 hours for me to set up
IIS 7.0 + WebDAV. After all...
1. I was motivated.
2. I have experience in access control models.
3. I know how to read (the documentation is uncommonly poor in IIS
7.0, making books like yours almost a necessity).
4. I followed all instructions given to me by IIS 7.0 people,
including one author of IIS 7.0
5. I had done it before, more or less, on Windows Server 2003 using
IIS 6.0.
Even now, though it is finally working, I have the uneasyness that one
gets when an elevator vibrates violently it moves. Yes, it's working
but..
The name of our web site in IIS 7.0 GUI is now called "Default Web
Site" after a complete reinstall of everything instead of what it was
before (our research org's site name) because I specifically
instructed my engineers to not touch anything, since, if it breaks
again, the amount of time it will take to fix it is indeterminate.
They took me literally. Tomorrow I will change it what to what it
should be.
-Le Chaud Lapin-