We have had requests for information from U.S. DoD customers regarding JTF-GNO Task Order 06-02 as it relates to Team Foundation Server. Please provide feedback as to the impact of this task order and our response to it. Our position is as follows:
The Kerberos protocol is the default authentication protocol for Windows Server 2003 and all current releases of Windows (client) OS’s. All Windows domain services support the Kerberos Security Service Provider, including Intranet authentication to Internet Information Services (IIS). Many other Windows Server applications are designed and developed to leverage Kerberos as well; these include SQL Server, Exchange Server, Internet Information Services (IIS) and many others. Visual Studio Team Foundation Services (TFS), built upon IIS simply relies on IIS and thus the Kerberos SSP for authentication purposes and the underlying Windows Server operating system for access control decisions.Like IIS, other native domain services reliant on Kerberos include: • Active Directory queries using the Lightweight Directory Access Protocol (LDAP)• Remote server or workstation management using RPC calls• Print services• Client-server authentication• Remote file access using the Common Internet File System/Server Message Block (CIFS/SMB)• Distributed file system management and referrals• Security authority authentication for Internet Protocol Security (IPSec)• Certificate requests to Certificate Services for domain user’s and computersCAC smartcard authentication against a Windows Server domain occurs via Kerberos and the PKINIT (Public Key Cryptography for Initial Authentication in Kerberos) process. PKINIT provides a public key cryptography operation between a smartcard and the Kerberos protocol. Once a user is authenticated using their (DOD CAC) smartcard, they are at that point like any other user in the Windows domain in that authentication decisions and access control decisions are handled in a distributed manner via the Kerberos protocol and the various Windows Server applications. X.509 PKI authentication via (DOD CAC) smartcard to Visual Studio Team Foundation Services works exactly as described here and as such should be considered compliant with JTF-GNO Task Order 06-02 Update #3.
Again, we need your feedback.