MSU Kerberos upgrade to be completed August 6

IT Services is in the process of upgrading to new 1.11.2 version of Kerberos. Further details and instructions on the upgrade are available.

This new version will introduce new features of Kerberos including file-less configuration using DNS and account locking for invalid password attempts.

Reasons to upgrade

This upgrade to Kerberos 5 current release is necessary for a number of reasons, including:

  • Newer MIT Kerberos server software allows for more stringent password policies, including account lockout.
  • Newer MIT Kerberos server software includes full support for IPv6.

Kerberos software

On July 31, 2012, support for backward compatibility with the Kerberos 4 protocol was turned off.

During summer 2013, MSU’s Kerberos system will undergo a complete upgrade, with the current version of MIT Kerberos running on all new hardware. This upgrade will be done in a series of steps that should not affect users of systems that use Kerberos, Sentinel, or Shibboleth for authentication.

Administrators of systems that use Kerberos will need to make a minor change to their Kerberos configuration. This change may be done at the system administrators’ convenience, but should be completed before July 24, 2013.

MSU IT Services will finish the Kerberos authentication software upgrade to the current release, 1.11.2 of MIT Kerberos on August 6, 2013.

Kerberos upgrade milestones

IT Services is contacting known system administrators and using the IT Exchange listserv to provide information and instructions. However, all administrators that feel like they may be impacted are encouraged to fill out this contact form.

Milestone 1

Currently, administrators can change their Kerberos configuration to krb5.conf whenever is most convenient. IT Services strongly encourages this change be made before July 24.

The production krb5.conf file will ensure authentication to your applications will run normally when the Kerberos upgrade is completed August 6. To test your application, use the QA krb5.conf file.

Milestone 2

IT Services will begin moving Kerberos traffic to the new Kerberos 1.11.2 systems on July 24. This is an intermediary step in the upgrade process and should be transparent to Kerberos users.

If you experience any issues or don’t upgrade your system before July 24, please call the IT Services Support Desk at (517) 884-3000 or fill out this contact form for assistance.

Milestone 3

On August 6, MSU IT Services will complete the Kerberos authentication software upgrade to version 1.11.2. This means any applications not prepared for the new release won’t be able to authenticate.

This milestone will only be visible to Kerberos users whose applications have not been prepared for the new version.

Milestone 4

On September 24, IT Services will turn off the 1.6.3 KDC. All Kerberos services will be running on the most current Kerberos release at this point.

Further information and instructions for this upgrade are available.