Microsoft's Windows 2000 implementation of open security standard Kerberos came under fire from software developers last week, after it emerged the software giant has undermined the standard with undocumented modifications.

Open internet security standard Kerberos has been incorporated into Windows 2000 to prevent user passwords from being sent over a network, where they are vulnerable to sniffers. Controversy arose when it was discovered that in incorporating the standard, Microsoft had amended the Kerberos code to produce a version called Microsoft Kerberos.

But Ted Ts'o, who led the MIT development team that created Kerberos, said that Microsoft's revision of the security standard would pose serious back-end integration problems for e-businesses.

Ts'o labelled the product as a "proprietary version," and Paul Hill, current Kerberos team leader, said he objected to Microsoft participating in IETF's Kerberos working group and implementing changes before submitting them. "They are trying to create a de facto standard and make everyone comply with it. This process is not embrace-and-extend, but embrace-and-deform," said Hill.

Shanen Boettcher, Windows 2000 product manager, said Unix workstations and Windows 2000 desktops may log into a Unix Kerberos server. However, he admitted Windows 2000 desktops cannot lconnect and receive access to Windows 2000 resources. He claimed the software giant was only making use of a feature that already existed in the standard but had so far been left blank.

The data authorisation field on the Kerberos ticket is filled in by the server with access privileges, and ties the client to the Windows server.

But Boettcher admitted the change is not documented, and the contents of the field are unavailable. "We have been asked to document them, and we are trying to figure out what to do with that request," he said.

Ts'o explained that developers can't take advantage of the Microsoft changes and build them into products that work with Windows 2000. He said that if you want all the features of Windows 2000 clients, you have to use a Windows server. "No one else uses the data authorisation field this way. It's no longer an open standard," he said.

Kerberos is widely used for user identification on Unix systems. It avoids sending passwords over a network, where they may be sniffed, by sending encrypted messages from the user to a Kerberos security server. Once verification is established, an encrypted access ticket is issued to the client.

Microsoft's amended code connects client and server through a Microsoft-specific version of Kerberos.