Your Kerberos implementation will be an important part of your network. As such, the Kerberos service needs to be always available, responsive, and in the event of failure, easily restored from backup. Therefore, integrating Kerberos authentication into your network calls for some planning.
The first consideration is what exactly you’ll be using Kerberos for. The answer to this question depends on whether you’ll need compatibility with Kerberos 4 clients/services or not. We’ll handle the simple case where you have no need to service Kerberos 4 clients or services first.
In this case, you’ll be able to implement a Kerberos 5-based solution with no need for backwards compatibility with Kerberos 4-based systems. All of the KDCs we’ll cover here will be able to handle Kerberos 5 clients, and there will be no need to enable any optional Kerberos 4 compatibility.
On the other hand, if you have to support Kerberos 4 services or clients, you’ll need to plan a bit more carefully to integrate those legacy components into your Kerberos implementation. Typically, in this situation, you’ll want to stick with a Unix-based KDC, since these have built-in support for the older Kerberos 4 protocol.
Your only option when dealing with Kerberos 4 client machines (machines which will be authenticating end users) is to use a KDC with direct support for Kerberos 4. This limits you to Unix-based KDCs. However, if you are supporting a Kerberos 4-based service (such as AFS), you can get away with a mixture of a Windows domain controller (or another KDC that supports only Kerberos 5 directly) and a machine that is running the Kerberos 5-to-4 ticket translator daemon (known as krb524) that is included with both MIT and Heimdal. We’ll talk about this option in more detail in Chapter 8.
You’ll want to determine the number of KDCs you’ll deploy in your network. Since authentication requests to the KDC can be easily handled with today’s overpowered processors, a single or dual processor machine should suffice for thousands of clients. Note that this applies to Unix-based system running only a KDC; Windows domain controllers function as much more than just a Kerberos KDC and therefore may have a higher server-to-client ratio than a dedicated Unix KDC. I won’t go into detail about Active Directory planning here; readers interested in more detailed discussion about Active Directory should refer to Active Directory by Robbie Allen and Alistair G. Lowe-Norris (O’Reilly).
You should take into consideration not only how many authentication clients you’ll be serving, but also where these clients are located. While the bandwidth requirements for Kerberos authentication are miniscule, the important metric for Kerberos performance is the network latency between clients and the Kerberos KDCs. Each authentication exchange requires time for at least one full round trip between client and KDC, and if this latency is long—for example, traveling through a satellite uplink or across congested Internet backbones—then users’ authentication requests will become noticeably slow. Consequently, you want to position your KDCs so that they are as close to the clients network-wise as possible.
Of course, when rolling out a system as complex as Kerberos, you’ll want to do a test run first, to become familiar with the system before performing a more substantial roll out to a larger user population.