Generate/VShellIcon.gif  Use Kerberos Protocol Transition


This topic discusses how to gain access to network resources (UNC paths, for example) with public-key-only authentication by using VShell's Use Kerberos protocol transition option. This option only affects VShell's behavior when VShell is installed on a Windows 2003 machine that is a member of an Active Directory Domain in which the domain controller is also running Windows 2003.

In order to use the Use Kerberos protocol transition option and see the benefits, you'll need to make sure that the Windows environment satisfies the following conditions:

BULLET.BMP    You are using Active Directory.

BULLET.BMP    Users authenticating to VShell must authenticate using user accounts that are part of Active Directory; local machine accounts are not available for Kerberos Protocol Transition.

BULLET.BMP    The Active Directory domain must be configured to operate at the Windows 2003 compatibility level.

BULLET.BMP    All servers involved must be running Windows 2003, and must be members of the AD domain. This includes the domain controller, the machine on which VShell is installed, and any machines that would be providing network resources such as shared directories (e.g., fs.somedomain.com).  

Historically, Network Attached Storage (NAS) devices have stripped down operating systems and did not run Windows  2003 or newer. Therefore, these devices were not be able to work correctly with Kerberos Protocol Transition within a Windows 2003 AD network environment. However,  we have recently received reports from customers that  their virtual CIFS share servers are compatible and they have had success using Kerberos Protocol Transition to connect to these devices' fileshares. If using a NAS device you'll need to check your NAS documentation or the NAS vendor to find out whether it operates at the Windows  2003 compatibility level.

If your Windows environment meets the above criteria, you should be able to follow the instructions below to enable the use of the Use Kerberos protocol transition option in VShell.

Before configuring VShell to use the Use Kerberos protocol transition option, you must configure constrained delegation for the systems that you wish to handle authentication requests (i.e., the machines on which VShell is installed).

In our example, we assume the following:

BULLET.BMP    The goal is to allow access to a network share over SFTP for users authenticating only with public-key authentication.

BULLET.BMP    A Windows 2003 domain controller named dc.somedomain.com.

BULLET.BMP    A Windows 2003 fileserver named fs.somedomain.com which provides a shared folder named fileshare.  

BULLET.BMP    There is a Windows 2003 domain member named  vshell.somedomain.com. The member vshell.somedomain.com is a machine on which VShell 2.6.4 or newer has been installed.

Configuring Constrained Delegation on the Domain Controller

To configure constrained delegation for this example environment, log on to dc.somedomain.com as a domain administrator and launch the Active Directory Users and Computers MMC interface (open the Start menu and select Administrative Tools):

1.   In the tree view select the somedomain.com domain.

2.   Open the Computers container.

3.   Find vshell.somedomain.com in the list of computers.

4.   Right-click on the entry for vshell.somedomain.com and select Properties from the context menu.

5.   Click on the Delegation tab and enable the following options:

BULLET.BMP    Trust this computer for delegation to specified services only

BULLET.BMP    Use any authentication protocol

6.   Click on the Add button.

7.   When the Add Services dialog appears, click on the Users or Computers button.

a.   In the Select Users or Computers dialog, enter the name of the fileserver (fs.somedomain.com) in the Enter the object names to select field, and click OK. If the name of the fileserver offering the share is actually the domain controller, you would type dc.somedomain.com rather than fs.somedomain.com.

8.   Back in the Add Services dialog, select cifs from the list of Available services.

9.   Click OK.

10.  In the Properties dialog, confirm that the service type you just added (cifs) is listed, and that the User or Computer is fs.somedomain.com (or the name of the file server you selected in substep a. above).

11.  Reboot the machine on which VShell is installed (vshell.somedomain.com). This action causes updated credentials for the VShell machine to be obtained, which will allow for the delegation changes to take effect.

Configuring VShell to Use Kerberos Protocol Transition

Assuming VShell has been installed on vshell.somedomain.com, you'll need to enable the Use Kerberos Protocol Transition option in VShell. Currently this is done by editing the Windows registry.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. There is no guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk.

1.   Launch regedit (open the Start menu, select Run, enter regedit and then click on OK), and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\VanDyke\VShell\Server

2.   Find the Use Kerberos Protocol Transition REG_DWORD value, and change it from the default (0) to 1 and close the registry editor.

3.   Restart the VShell service.

With VShell and the AD domain controller configured properly as described above, users should be able to authenticate to VShell on vshell.somedomain.com using public-key-only authentication and gain access to SFTP roots that refer to the share fileshare on fs.somedomain.com.