In September 2006, IT Services introduced new desktop software, Stanford Desktop Tools, that will gradually replace PC-Leland and MacLeland, and that includes important new features.
This software is being developed as part of a larger effort to retire Kerberos version 4, an authentication mechanism still used by some online services at Stanford, in favor of Kerberos version 5. Kerberos is the underlying technology that lets the Web servers "know" that you are who you say you are when, for example, you enter your SUNet ID and password to access restricted resources on the Stanford Web.
Why Is Stanford Doing This?
Stanford decided to move to Kerberos 5 because:
- Kerberos 5 is more secure than Kerberos 4, and is now in much wider use.
- Stanford's implementation of Kerberos 4 is idiosyncratic and hard to maintain.
- Newer software programs that require authentication often support only Kerberos 5.
What New Software Will Be Available?
Stanford Software Update (SSU): Around September 15, Stanford Software Update (SSU) became available for download as a component of Stanford Desktop Tools. SSU allows you to schedule the automatic installation of updates to selected software on your computer, such as the new Network Identity Manager for Windows. (See below.)
Over the next several months, local IT support staff will install Stanford Desktop Tools on computers that run Windows 2000, XP and later, and Mac OS X 10.4 and later. It will also be available to Stanford faculty, students, and staff who manage their own computers. If you have any questions, please contact your local IT support staff or submit a HelpSU ticket.
To download Stanford Desktop Tools yourself, which will install SSU along with Network Identity Manager for Windows and will configure Kerberos for the Macintosh, please visit the Windows or Macintosh download pages at:
Network Identity Manager (Windows Only): Network Identity Manager replaces the familiar sign-on dialog box displayed by PC-Leland. Network Identity Manager, just like PC-Leland, lets you obtain the Kerberos "credentials" necessary to access resources on the Stanford network, such as calendar or email services, when you supply your SUNet ID and password. The Network Identity Manager "new credentials" dialog box is shown below:
Kerberos for the Mac: Kerberos software compatible with Stanford's infrastructure has been bundled with Mac OS since the release of OS X 10.2. When you install Stanford Desktop Tools for the Mac, Mac OS X's Kerberos software will be configured for use at Stanford, and MacLeland, if present, will be removed from your system. Whenever your SUNet ID and password are required, you'll be prompted to enter them.
Individuals who currently use PC-AFS (replaced by OpenAFS in July of 2006) or MacAFS to access Stanford's network file system will have the same access by way of Stanford Desktop Tools. The Tools installer will detect and remove, if necessary, any old versions of AFS client software that are no longer supported, and will allow you to upgrade to a newer version if you wish to do so. Any files you may have saved in any AFS folders to which you have access will not be affected. See also OpenAFS for Windows and Mac Systems in this issue.
Retiring Kerberos 4
Over the next several months, Windows and Mac users across campus will need to download Stanford Desktop Tools from the Essential Stanford Software Web site. Once all of the desktop computers and centrally maintained servers at Stanford are prepared to use Kerberos 5 authentication exclusively, IT Services will retire its existing Kerberos 4 infrastructure.