UC Davis Information & Educational Technology

Kerberos KDC Replacement Project

Quick Links

Lead
Bob Ono, IT Security Coordinator: raono@ucdavis.edu; (530) 754-6484

Status
  • Tested Kerberos KDC replacement candidates that met all internal specifications and documented findings.
  • Developing and vetting preliminary report.
  • Conducting additional testing in preparation for formal KDC replacement recommendation.
  • Working with campus technical support staff and advisory groups to revise campus password standards.
Goals
  • Replace outdated Kerberos KDC with more modern KDC that uses a stronger encryption type and offers increased compatibility with newer workstations.
  • Strengthen campus Kerberos passwords by implementing updated password standards and improving campus password reset services.

Impact
Kerberos KDC Replacement

  • The actual replacement of the Kerberos KDC will be transparent to campus computing network users; the authentication experience after the replacement will be identical to the current experience.
  • The transition to the new Kerberos KDC requires a one-time password reset for all campus account holders.
  • Service administrators using the Kerberos KDC will need to transition their services to use the new KDC.

Changes to Password Standards

  • All campus account holders will be required to change their passwords during the transition to the new Kerberos KDC. They will not be able to use their existing passwords even if those passwords meet the new password standards.

Implementation Approach

  • KDC technical implementation
    Between May and October 2008, project team members will implement the replacement Kerberos KDC.
  • Password service technical implementation
    Between May and October 2008, project team members will develop and implement the revised and enhanced online process for creating and resetting passwords that meet the new standards.
  • Account holder transition to new KDC
    Communications with campus computing account holders and technical support staff will be initiated in May 2008 and will continue until all account holders have transitioned to the new service. The transition is expected to be complete in December 2008.
  • Service transition to new KDC
    Communication with administrators began in January 2008. These will continue through August of 2009 to facilitate the transition of their services to the new Kerberos KDC. All campus services will transition to the new Kerberos KDC by August 2009
Project Team
  • Bob Ono
  • Curtis Bray
  • Gaston DeFerrari
  • Doreen Meyer
  • Julie McCall
Reviewers
  • Chris Callahan
  • Adam Getchell
  • John Harris
  • Dale Hurt
  • Tim Metz
  • Doreen Meyer
  • Paul Singh
  • Ben Stein