After almost 30 years of use, ITS has retired Heimdal Kerberos, a longstanding login service at Carolina. ITS’ Identity & Access Management team transitioned Carolina’s logins from using Heimdal Kerberos to Microsoft Active Directory.
Even for many IT professionals, Heimdal Kerberos isn’t a familiar term. But according to Celeste Copeland, Manager of Identity & Access Management, “it’s been in our infrastructure forever.”
Heimdal Kerberos was first implemented at UNC in the mid-1990s as a central part of UNC-Chapel Hill’s identity and access management system. That means it began facilitating logins before Onyens even existed.
The move to Active Directory streamlines operations and modernizes UNC’s identity and access management systems. The project spanned a year of active work and touched many teams at ITS.
Secure, but aging, service
Kerberos is a network authentication protocol that ensures secure identity verification over non-secure networks by using secret key cryptography. With Kerberos, information obtained from your login, your Onyen and password, is used to create a Kerberos ticket. This ticket is then used to authenticate to Kerberos-aware services.
Heimdal Kerberos is a secure tool, but the evolving technology landscape has highlighted some limitations. As the software aged, it became increasingly difficult for the team to maintain.
“Unfortunately, this is a really antiquated piece of software. Java libraries no longer support the administrative interface to manage Kerberos accounts,” Copeland said. “So, if we want to keep our Java services up to date and secure, we need to either build our own libraries or we need to move to something else.”
Another reason to move? Jan Tax, who has managed the system almost since its inception, is retiring this year. At the launch of the project, Copeland joked that Tax hoped that he could “retire this before he himself retires.”
What’s in a name?
The name Heimdal Kerberos contains a double dose of mythology.
Kerberos is an alternate spelling of Cerberus, the three-headed dog that guards the gates of the underworld in Greek mythology. The Kerberos protocol was originally created in 1988 by the Massachusetts Institute of Technology and later divided into other implementations, including Heimdal Kerberos.
The name Heimdal, or Heimdallr, is from Norse mythology. Heimdal is a watchman god who guards the bridge Bifröst that connects Midgard, or Earth, to Asgard, the realm of the gods.
Move to Active Directory
At UNC, Heimdal Kerberos was primarily used for managing Onyen, GuestID and service account authentication. It also supported Single Sign-On and Lightweight Directory Access Protocol system integrations — all these functions needed to move to another service.
You use Single Sign-On (SSO) when you log into many systems at Carolina, including ConnectCarolina, Time Information Management (TIM) and Canvas.
Lightweight Directory Access Protocol (LDAP) is the system behind the University’s directory.
While Heimdal Kerberos underpinned Onyen logins for years, it wasn’t the only system in use at Carolina.
“We already have this other Onyen repository for passwords, which is Microsoft Active Directory,” Copeland said. “We’ve been syncing these passwords from Heimdal Kerberos to Active Directory (AD) since AD started up on campus many years ago. It’s just time to make the switch.”
Consolidating to Active Directory reduced the number of systems the Identity team maintains. Also, “it allows us to keep our systems upgraded,” Copeland said. Active Directory does not use the Kerberos admin protocol to manage accounts, so the team can keep up with new Java releases. “We won’t have to write these new libraries ourselves,” she added.
Tendrils and edge cases
“This kind of ingrained infrastructure is always trickier than you think it’s going to be,” Copeland said. “There were so many tendrils of this system everywhere, and so many weird edge cases, that I was constantly worried we were going to overlook something major.”
The transition to Active Directory was complicated and took groups from across ITS about a year to complete. The team “pulled this off with very minor issues afterwards — but that is due to the incredible amount of support the IAM team received from all quarters,” she said.
Challenging transition held surprises
Copeland called the entire transition “very challenging,” and said that the team anticipated many obstacles but there were still a few surprises.
Two challenges the team didn’t anticipate? PID merges and Onyen renames.
First, PID, or person ID number, merges. PID merges often happen when someone returns to campus and “their data looks really different,” Copeland explained. PIDs and Onyens, UNC’s two main identifiers, are never reused or assigned to anyone else. If you leave Carolina and return, your PID and Onyen will be reactivated.
Sometimes, “we don’t realize they were here in the past and we create another PID because that data looks so different. Maybe they were a student but they’re starting as an employee now. Maybe they had a name change. Or maybe their address is really different. And when we find out that this person has been here in the past, their identities need to be merged. That’s called a PID merge.”
Second, Onyen renames. Generally, once you make an Onyen, it doesn’t change. However, there are some circumstances that allow for an Onyen rename. These include a legal name change, an issue of personal security referred by the Office of University Counsel or University Police, clearly offensive Onyens and to resolve a technical issue. Turns out that these Onyen renames have never been handled automatically in AD. “They’re always a manual process, and we have several Onyen rename requests per week,” Copeland said. “So, we needed to automate those as part of this project as well.”
Additional benefits
The transition to Active Directory significantly reduced the number of systems that need to be maintained, allowing the Identity team to focus on keeping the infrastructure secure and current.
In addition to moving the management of Onyen and Guest ID accounts to Active Directory, the team also migrated of authentication principals for about 150 service accounts and made configuration changes to about 250 hosts to switch their authentication to Active Directory.
While most of the work is behind the scenes, the migration does have a benefit to users. For teams at Carolina whose systems used LDAP or Kerberos authentication, this migration gave them an opportunity to switch to Single Sign-On. With SSO, administrators can strengthen security by requiring 2-Step Verification and users can streamline their logins with Carolina Key, UNC’s passwordless login.