Support for the legacy Heimdal Kerberos authentication protocol is ending and ITS is migrating impacted service accounts to Active Directory (AD). Additional background on this project is available on the Project Portfolio.
Project impacts
- The owners of all impacted accounts will be notified and given the opportunity to book a consultation with Identity and Access Management (IAM) staff to assist with the migration.
- Password changes will be required for every service account that will be migrated.
- The migration process will involve replicating the service account in AD with a new password and updating the service account entry in LDAP to point to AD.
- We do not anticipate any front-end impacts or downtime for end users of applications.
Timeline of change
- Impacted applications will be changed between 4/15/2024 and 6/14/2024.
- After the change period the Kerberos instance will be shut down and functionality will be migrated to the campus AD.
Getting help
- Identity and Access Management (IAM) staff will be available for consultations to assist with the migration.
- Consultations will be scheduled through a self-service process and take place during the change period of 4/15/2024 – 6/14/2024.
- An initial consultation meeting will be used to arrange the work that will be needed for the application migrations and answer questions.
- Service account owners will need to provide the following information to IAM staff:
- Name, department, and email address.
- List of service accounts and applications that are authenticating against Kerberos or LDAP.
- Indicate any applications that are sharing a service account.
- Indicate environments that applications and service accounts for each service account or application where known (DEV, TST, SPT, PRD).
- The owner of each service account and email address for the owner.
- Are change plans required for production changes in your change management process? Do these need to be coordinated after business hours?