Network Identity Manager version 2.0 implements the long awaited support for multiple Identity Providers as well as many usability improvements that were recommended during the SOUPS 2007 conference held at Carnegie Mellon University.
An Identity Provider in Network Identity Manager is the module that determines which credential type can be used to define a Network Identity. In Network Identity Manager v1 there is a restriction that only one Identity Provider can be loaded at a time. The only Identity Provider that shipped with Kerberos for Windows 3.2.x supports Kerberos v5 principals as the network identity. Many other credential types have been supported including AFS, Kerberos v4, Kerberized X.509 certificates, and proprietary web browser credentials. These credentials could all be obtained using the Kerberos v5 identity credential but none of them could be used to define a Network Identity. Multiple Identity Providers permit Network Identity Manager to become a general purpose end-user management tool for Network Identities. No longer will be be tied strictly to Kerberos v5.
The second Identity Provider being shipped by Secure Endpoints is the KeyStore, an Identity Provider that permits a user to obtain credentials for multiple Network Identities with a single local authentication. A typical use case is a user that has Kerberos v5 identities in multiple Kerberos v5 realms that do not have a cross-realm key exchange. Using the KeyStore provider, the passwords for multiple Kerberos v5 identities can be encrypted and stored in the Windows Profile or on removable storage. When the user obtains new credentials using the KeyStore identity, the KeyStore is unlocked and all of the configured Network Identities protected by the KeyStore attempt to fetch all of the configured credential types.
In the future an X.509 Certificate Identity Provider can be implemented which can be used to obtain Kerberos v5 credentials via PKINIT or to request or revoke X.509 certificates from Grid Certificate Authorities. As there is as yet no PKINIT support provided by Kerberos for Windows, this provider has not yet been implemented.
Several usability issues in Network Identity Manager version 1.3 were highlighted by the SOUPS 2007 attendees. For starters, why does a user need to remember both a username and realm and enter them separately? This interface was a hold over from the user interfaces of the 90s. When Network Identity Manager was designed we repeatedly received feedback from help desk personnel saying "Please do not make the user interface different from Leash32 and similar Kerberos Ticket Managers. The users are already trained to enter user, realm, password." It turns out that although the users may have been trained to do things that way, that is not the way that users would like to select their identity. Once a Network Identity is configured, it is much easier for users to select it from a list of identities than type the identity names each time.
Another frequently heard complaint about Network Identity Manager v1 is that it is too complicated to configure a network identity to obtain all of the required credentials. At many sites Network Identity Manager is used not only to obtain a Kerberos v5 TGT but also to obtain a Kerberized X.509 certificate for use in web or grid authentication, AFS tokens to one or more AFS cells and perhaps a Kerberos v4 TGT for use with applications that have yet to be migrated to Kerberos v5. Each credential provider must be configured by the user but there was no wizard that walked the user through the dialogs during network identity creation.
To address this we have added a New Identity Wizard.
From the Obtain New Credentials ... dialog the user chooses to create a new network identity.
Then selects the identity type and specifies the network identifiers.
To complete the operation, the user configures the credentials and optionally stores the secret and the identity configuration into the KeyStore.
Another improvement that was suggested at SOUPS 2007 was to provide better feedback to the user regarding what steps are taking place to complete the credentials acquisition. For a user with multiple Kerberos v5 identities each of which are obtaining Kerberized X.509 certificates and multiple AFS tokens, the credentials acquisition can take a minute or two. The new progress dialogs should help considerably.
The user interface has been spiffed up quite a bit. Each Network Identity can be assigned its own icon. It can be one that represents the institution or one that the user selects to make the Network Identity recognizable. The battery control not only displays the relative lifetime remaining for the identity credentials but can also be pressed to initiate a renewal. The newly added star is used to indicate which Network Identity is the default identity. This replaces the rather awkward shading that was used in version 1. There is also a summary line for each identity indicating which types of derived credentials have been obtained.
Network Identity Manager version 1.3.x release was bundled as part of the MIT Kerberos for Windows 3.2.x. Network Identity Manager version 2.0 will be its own distribution that upgrades the Network Identity Manager components installed by KFW.
Version 2.0 installers will upgrade the KFW binaries. Note that because this installer upgrades the Network Identity Manager components of KFW, it is not possible to revert to the previous version by simply uninstalling Network Identity Manager version 2.0. Both Network Identity Manager and KFW must be uninstalled and then KFW be re-installed to restore the previous version.
Please read the Version 2.0 User Documentation.
A summary of changes in the 220.127.116.117 release.
This page was last updated 09/08/10