MIT Kerberos Abatement Project

Purpose & Goals

  • To retire MIT Kerberos Environment in favor of Active Directory servers for authentication. This will limit the number of servers where auth credentials are stored in order to improve security and reduce risk. This will also save resources currently needed to maintain both servers.
  • Re-organize the AD structure to follow security best practices and to allow CalNet to be system of record for all user objects

Scope

Phase 1 by September 16, 2019

  • MOU between CalNet and CalNet AD teams for operation / management / architecture of CalNetAD service.

  • Change practices of OU admins to not move user objects and therefore protect CalNet SOR user objects.

  • Source all user objects from CalNet / BPR and not allow any external modification.

  • Modify CAS to sync passphrases from MIT Kerb to AD.

  • Retire MIT Kerb in favor of AD passphrase store.

 

Phase 2 by Jan 1, 2020

  • Use CalNet SPAs for AD service accounts.

  • Implement and use PAM for all AD elevated access.

  • Retire / remove non-CalNet sourced AD user accounts (“pvt-” type accounts).

Resources for OU Admins

Support

Please contact win-ticket@berkeley.edu for support.