CalNetAD Planning Committee

December 11, 2003

Room 60, Barrows Hall, 2-3:30 PM

Updated: 12/18/2003

Agenda

1. Workstation and Microcomputer Facilities (WMF) report (Tim Faircloth)

2. New 'Move User Account' Web page (Arden)

3. CalNetPKI Service Outline and Documentation (Eric)

4. VPN Pilot (Karl)

5. Integrated Authentication GPO (Eric)

6. Other Business

   • Synchronization Updates

   • Winter Holiday Coverage 2003-2004

Notes

Workstation and Microcomputer Facilities (WMF) report (Tim Faircloth)

The Workstation & Microcomputer Facilities (WMF) moved 13 separate computer labs from Novel NetWare to Active Directory in the summer of 2003. Tim gave a report on their migration and transition experiences for their Windows and MacIntosh workstations. Tim's complete report is available here (in PDF format).

New 'Move User Account' Web page (Arden)

Arden has developed a new web-based 'move user account' utility that OU administrators can use to move accounts from the default FSA (Faculty, Staff, Affiliates) OU into the OU they manage. OU administrators will no longer be required to send email to the CalNetAD team to request user account moves to their OU. However, requests that are sent will still be processed. Documentation and access to the new page is available at: http://calnetad.berkeley.edu/support/webadmin/moveuser/index.html.

CalNetPKI Service Outline and Documentation (Eric)

Eric has been busy developing, implementing, and documenting the various components of the new CalNetPKI service. Information on the current PKI implementation and the certificates that are currently available at: http://calnetad.berkeley.edu/documentation/calnetpki/. Send any comments, questions, or requests to Eric. As service offerings become more defined, additional documentation will be added to the web site.

VPN Pilot (Karl)

CNS is currently running a pilot VPN service which, among other
benefits, allows a computer from remote locations to join the campus
domains and participate in CalNetAD forest activities via an ISP's
network access. To participate, join the majordomo mailing list
"vpn-pilot@listlink", through which further instructions will be
provided.

In my testing so far, I have been able to join a Windows XP Pro system
and fully participate in the CAMPUS domain via my Comcast access. My
particular home networking setup (using a Netgear RT311 gateway router
to provide NAT) required that I use the "Transparent Tunneling" feature
of the client software, using the recommended "IPSec over TCP" mode.

From the Cisco docs where they discuss Transparent Tunneling:

"Not all devices support multiple simultaneous connections behind them.
Some cannot map additional sessions to unique source ports. Be sure to
check with your device's vendor to verify whether this limitation
exists. Some vendors support Protocol-50 (ESP) Port Address Translation
(IPSec passthrough), which might let you operate without enabling
transparent tunneling."

Integrated Authentication GPO (Eric)

There is a growing interest in and use of Microsoft products, such as Sharepoint, that use integrated authentication. Eric asked the committee if they thought it would be worthwhile to apply a GPO at the domain level that would enable berkeley sites to use integrated authorization with Internet Explorer. The committee agreed as long as the sites that could be trusted were specifically identified. OU administrators would be able to implement GPOs for their OUs to augment the list of servers.

Other Business

Karl informed the committee of two future changes to the synchronization process that are currently being developed:

1. Email attribute -- the email attribute will be synchronized with CalNet. Only those email addresses that have been approved for public release by their owners will be synchronized. Additional ACLs will be applied to the email attribute to prevent 'harvesting' of the email address in Active Directory.

2. AltSecIdentities attribute -- the AltSecIdentities attribute, which holds additional kerberos authentication identities, will be modified to carry all of the kerberos identities a person may have. For example, a student-employee will have both their student CalNet ID and their employee CalNet ID stored in this attribute. This will allow an individual to use either CalNetID to login in to Active Directory.

Winter Holiday Coverage 2003-2004

CalNetAD will be up, but system support will be reduced from 5:00 PM, Tuesday, December 23 through 8:00 AM, Friday, December 26, and from 5:00 PM, Tuesday, December 30, through 8:00 AM, Friday, January 2. CalNetAD will be monitored for security, however, if other system problems develop during hours of reduced support, they will not be fixed until normal operations resume.