CalNet Kerberos Service

About Kerberos

Kerberos is the system that holds all CalNet IDs and passphrases. IST supports both MIT and Microsoft Active Directory (AD) Kerberos and accounts are synchronized between these two systems. Refer to Client Configuration for information about Kerberos software and its configuration.

Anyone experiencing problems authenticating via Active Directory can use the synchronize passphrase application.

The campus Central Web Authentication Service (CAS) authenticates users against MIT Kerberos. Campus developers wishing to use CalNet authentication should configure their applications to use CAS or Shibboleth (which delegates authentication to CAS). Information and resources for "CASifying" applications is available on the CAS page. Similar pages for Shibboleth integration (most commonly used for cloud-based services, or when federated login support is required) exists in the Shibboleth section.

Applications that need to proxy CalNet authentication locally (that is, accept a user's CalNet credentials and pass them on to Kerberos for authentication) may do so only with an exception approved by the IS&P security group.  Please see the CalNet Terms of Service and the Proxied CalNet Authentication Exception Requests pages.

If an exception request is approved, application owners will need to configure applications to proxy Kerberos authentication securely, including installing a Kerberos keytab file. Instructions for requesting and installing keytab files are available through the link below.

Kerberos Key Distribution Center (KDC) hosts

IP address for the master and slave KDCs

The CalNet MIT Kerberos-based KDC service use the following IP addresses in the DNS for the master Kerberos KDC, kerberos.berkeley.edu, and the slave KDC, kerberos-1.berkeley.edu, respectively:

  • 169.229.218.74 for the master KDC
  • 169.229.218.75 for the slave KDC

These hosts (kerb-p1.calnet.b.e and kerb-p2.calnet.b.e), as well as the hosts for the ks-qa/kerb-test KDC (kerb-t1.calnet.1918.b.e) and offsite KDC (kerb-p3.sdsc.edu), are available now.

In addition to using the KRB5_CONFIG environment variable to override a default configuration file location, another method that can be used to validate a test Kerberos client against these servers involves using the /etc/hosts file or equivalent to map kerberos.berkeley.edu and kerberos-1.berkeley.edu to the IP addresses (as noted above) or any permutation of those and the others mentioned such as the IP address for kerb-test.berkeley.edu (10.254.9.16). This allows for functional validation and other testing without changing application configurations although a restart of the application may be needed if IP addresses are cached.

IP address and name for offsite KDC at SDSC

The CalNet MIT Kerberos-based KDC service in the DNS for the offsite Kerberos KDC is kerb-p3.sdsc.edu or kerb-p3.calnet.berkeley.edu (132.249.243.24) located at SDSC at UCSD.

IP address for ks-qa.berkeley.edu and kerb-test.berkeley.edu

The CalNet MIT Kerberos-based test/qa KDC service uses the names ks-qa.berkeley.edu or kerb-test.berkeley.edu in the DNS. Those aliases use 10.254.9.16 as the IP address. This means that off-campus access for testing with the new QA/Test KDC will require use of the VPN or other tunneling.