Active Directory

Authenticate and Update
IPAM

Most IPAM and DNS solutions allow only one Domain Controller per name server for synchronizing the DNS data. Furthermore, the synchronization itself is mostly insecure when the IPAM providers often avoid the complex and error prone Kerberos authentication. TCPWave IPAM goes one step ahead to allow a seamless and secure integration of multiple Active Directory Domain Controllers per name server. This unique integration of Active Directory Forest with TCPWave IPAM managed DNS appliances helps the organizations to minimize their costs by spending only an optimum number of name servers. How does it work? First, define the enterprise's Active Directory servers in the TCPWave IPAM. Then, upload the Active Directory Kerberos keytab file to the IPAM Web Interface. Finally, map the Active Directory servers to the TCPWave DNS Appliances for synchronization.

IPAM

GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality. GSS-TSIG uses a mechanism like SPNEGO with Kerberos or NTLM. In Windows, this implementation is called Secure Dynamic Update as mentioned above. GSS-TSIG uses TKEY records for key exchange between the DNS client and appliance in GSS-TSIG mode. For authentication between the DNS client and Active Directory, the AS-REQ, AS-REP, TGS-REQ, TGS-REP exchanges must take place for ticket granting and establishing a security context. The security context has a limited lifetime during which dynamic updates to the DNS appliance can take place.