Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Details about PennKey types

Types of PennKeys

Type of PennKey

Format & Example

How Widely Used

User

<PennName>@UPENN.EDU
 
Example: thompson@UPENN.EDU

Everyone needs one

KAdmin

<PennName>/kadmin-<domainname>@UPENN.EDU
 
Example: thompson/kadmin-da.isc.upenn.edu@UPENN.EDU

Need one for each DNS domain you administer or more-general DNS domain

Service

<component>/<domainname>@UPENN.EDU
 
Example: host/pobox.upenn.edu@UPENN.EDU

Roughly one per service per host, though some are shared by several services. If the host has multiple DNS records, one Service PennKey is needed for each "A record". CNAME records do not need their own Service PennKeys.

Cross-RealmTrust

<PennName>/kadmin-<Windows2000 domain in caps>@UPENN.EDU
 
Example: smedley/kadmin-EXAMPLE-DC.UPENN.EDU@UPENN.EDU

Only one needed per Windows 2000 "realm" that will have one-way trust relationship with the U. Penn MIT KDC

  1. one "KAdmin PennKey" per machine you are installing onto -- for creating Host PennKeys which will support kerberized services on that machine

  2. one "Service PennKey" per machine per kerberized service you will install (though some Service PennKeys will support more than one kerberized service) -- supports authentication between ticket server and the service on your machine. (*Authorization* is still the job of your service!)

  3. one "Cross-Realm PennKey" per local Kerberos "realm" (e.g., a Windows 2000 "domain") which you will configure so users may authenticate to a local Kerberos or Windows 2000 server using their PennKeys.

Information needed from you for processing request is listed immediately below.

"... [T]he KAdmin PennKey type allows the owner to create Service PennKeys and other, more specific KAdmin PennKeys (but note KAdmin PennKeys do not allow creating User PennKeys). An example of a KAdmin PennKey is phanatic/kadmin-philly.athletics.upenn.edu@UPENN.EDU, allowing the owner to create Service and KAdmin PennKeys for philly.athletics.upenn.edu, a1.philly.athletics.upenn.edu and other domains more specific than athletics.upenn.edu."

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania