Details About PennKey Types

Types of PennKeys

Type of PennKey Format & Example
User

<PennName>@UPENN.EDU
Example:
thompson@UPENN.EDU
-----------------------------------
Everyone needs one

KAdmin <PennName>/kadmin-
<domainname>@UPENN.EDU
Example:
thompson/kadmin-da.isc.upenn.edu@UPENN.EDU
-----------------------------------
Need one for each DNS domain you administer or more-general DNS domain
Service

<component>/<domainname>
@UPENN.EDU
Example: host/pobox.upenn.edu
@UPENN.EDU
-----------------------------------
Roughly one per service per host, though some are shared by several services. If the host has multiple DNS records, one Service PennKey is needed for each "A record". CNAME records do not need their own Service PennKeys.

Cross-Realm Trust <PennName>/kadmin-
<Windows2000 domain in caps>@UPENN.EDU
Example:
smedley/kadmin-EXAMPLE-DC.UPENN.EDU@UPENN.EDU
-----------------------------------
Only one needed per Windows 2000 "realm" that will have one-way trust relationship with the U. Penn MIT KDC
  1. one "KAdmin PennKey" per machine you are installing onto -- for creating Host PennKeys which will support kerberized services on that machine

  2. one "Service PennKey" per machine per kerberized service you will install (though some Service PennKeys will support more than one kerberized service) -- supports authentication between ticket server and the service on your machine. (*Authorization* is still the job of your service!)

  3. one "Cross-Realm PennKey" per local Kerberos "realm" (e.g., a Windows 2000 "domain") which you will configure so users may authenticate to a local Kerberos or Windows 2000 server using their PennKeys.

Information needed from you for processing request is listed immediately below.

"... [T]he KAdmin PennKey type allows the owner to create Service PennKeys and other, more specific KAdmin PennKeys (but note KAdmin PennKeys do not allow creating User PennKeys). An example of a KAdmin PennKey is phanatic/kadmin-philly.athletics.upenn.edu@UPENN.EDU, allowing the owner to create Service and KAdmin PennKeys for philly.athletics.upenn.edu, a1.philly.athletics.upenn.edu and other domains more specific than athletics.upenn.edu."

HOME...