SlideShare a Scribd company logo

Technet.microsoft.com

K
Kurt Kort

Kerberos Explained

EducationTechnology
1 of 6
Download to read offline
Kerberos Explained Page 1 of 6 Kerberos Explained By Mark Walla Article from the May 2000 issue of Windows 2000 Advantage magazine Although this article is billed as a primer to Kerberos authentication, it is a high technical review. Kerberos is an integral part of Windows 2000 Active Directory implementations, and anyone planning to deploy and maintain a Windows 2000 enterprise must have a working knowledge of the principals and administrative issues involved in this front-line security technology. Since many other operating system vendors are also adopting this MIT-developed authentication protocol, Kerberos Version 5 will increasingly become a centerpiece of enterprise-level interoperability. Kerberos provides secure user authentication with an industry standard that permits interoperability. The Active Directory domain controller maintains user account and log- in information to support the Kerberos service. The process of authenticating the identity of users during log-in is the first step in gaining system access. For local machines that aren't actively participating in a domain, Windows NT LAN Manager protocol is still utilized to verify a user's name and password before granting system access. However, in domain environments, Microsoft has coupled Active Directory closely with Kerberos. Once access is granted, tickets that permit specific access to other system resources within the domain are exchanged. On This Page Kerberos 101 Understanding Kerberos concepts Further Clarification of the Log-in Process Postscript Kerberos 101 Underlying Windows 2000 security is the concept of user authentication. The centralized account management supported by Active Directory Services requires a corresponding authentication protocol for network log-on. Based on RFC 1510, the Kerberos Version 5 protocol provides enhanced authentication for the distributed computing environment and standardization to interoperate with other operating systems. Defaulting to Kerberos NT LAN Manager is the authentication protocol used in Windows NT and in Windows 2000 work group environments. It is also employed in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. At the stage Windows 2000 is converted to native mode where no down-level Windows NT domain controllers exist, NT LAN Manager is disabled. Kerberos then becomes the default authentication technology for the enterprise. Top of page Understanding Kerberos concepts Kerberos Version 5 is standard on all versions of Windows 2000 and ensures the highest level of security to network resources. The Kerberos protocol name is based on the three- headed dog figure from Greek mythology known as Kerberos. The three heads of Kerberos comprise the Key Distribution Center (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). As exemplified in Figure 1, three exchanges are involved when the client initially accesses a server resource: http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
Kerberos Explained Page 2 of 6 1. AS Exchange 2. TGS Exchange 3. Client/Server (CS) Exchange 1 Figure 1: Let's take a closer look at this exchange process and its component parts. AS Exchange When initially logging on to a network, users must negotiate access by providing a log-in name and password in order to be verified by the AS portion of a KDC within their domain. The KDC has access to Active Directory user account information. Once successfully authenticated, the user is granted a Ticket to Get Tickets (TGT) that is valid for the local domain. The TGT has a default lifetime of 10 hours and may be renewed throughout the user's log-on session without requiring the user to re-enter his password. The TGT is cached on the local machine in volatile memory space and used to request sessions with services throughout the network. The following is a discussion of the TGT retrieval process. Example AS Administration The AS request identifies the client to the KDC in plain text. If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request. The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature. Access the user account from the Active Directory users and the computers will snap-in and select the account tab. From the account options: slide window, check mark the "Do not require Kerberos" preauthentication option (Figure 2). http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
Kerberos Explained Page 3 of 6 2 Figure 2: Disable Kerberos Preauthentication If the KDC approves the client's request for a TGT, the reply (referred to as the AS reply) will include two sections: a TGT encrypted with a key that only the KDC (TGS) can decrypt and a session key encrypted with the user's password hash to handle future communications with the KDC. Because the client system cannot read the TGT contents, it must blindly present the ticket to the TGS for service tickets. The TGT includes time to live parameters, authorization data, a session key to use when communicating with the client and the client's name. TGS Exchange The user presents the TGT to the TGS portion of the KDC when desiring access to a server service. The TGS on the KDC authenticates the user's TGT and creates a ticket and session key for both the client and the remote server. This information, known as the service ticket, is then cached locally on the client machine. The TGS receives the client's TGT and reads it using its own key. If the TGS approves of the client's request, a service ticket is generated for both the client and the target server. The client reads its portion using the TGS session key retrieved earlier from the AS reply. The client presents the server portion of the TGS reply to the target server in the client/server exchange coming next. Client/Server Exchange Once the client user has the client/server service ticket, he can establish the session with the server service. The server can decrypt the information coming indirectly from the TGS using its own long-term key with the KDC. The service ticket is then used to authenticate the client user and establish a service session between the server and client. After the ticket's lifetime is exceeded, the service ticket must be renewed to use the service. Client/Server Exchange Detail The client blindly passes the server portion of the service ticket to the server in the client/server request to establish a client/server session. If mutual authentication is enabled, the target http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
Kerberos Explained Page 4 of 6 server returns a time stamp encrypted using the service ticket session key. If the time stamp decrypts correctly, not only has the client authenticated himself to the server, but the server also has authenticated itself to the client. The target server never has to directly communicate with the KDC. This reduces downtime and pressure on the KDC. Top of page Further Clarification of the Log-in Process A TGT and a service ticket are needed to access services on remote computers, but they are also required to successfully log on to a local system. When the log-on window appears, password encryption using a one-way hash algorithm occurs immediately and negotiations commence with the KDC for a valid TGT and service ticket. The process is the same as accessing a remote service. An access token is created for the user containing all security groups to which they belong. This access token is attached to the user's log-on session and is subsequently inherited by any process or application the user starts. Referral Tickets The AS and TGS functions are separate within the KDC. This permits the user to use the TGT obtained from an AS in his domain to obtain service tickets from a TGS in other domains. This is accomplished through referral tickets. Once a trust has been established between two domains, referral tickets can be granted to clients requesting authorization for services in other domains. When there is a trust established between the two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 3, a user client in Entcert1.com requests authority for a server in Entcert2.com. He utilizes referral tickets. The numbers in Figure 3 correspond to the following numbered explanations: 1. The client contacts its domain KDC TGS using a TGT. The KDC recognizes a request for a session with a foreign domain server and responds by returning a referral ticket for the KDC in the foreign domain. 2. The client contacts the KDC of the foreign domain with the referral ticket. This ticket is encrypted with the interdomain key. Given that the decryption works, the TGS service for the foreign domain returns a service ticket for the server service in Entcert2.com. 3. The client performs the client/server exchange with the server and begins the user session with the service. 3 Figure 3: Domain Referrals When more domains are involved, the referral process extends and involves the transitive properties between Windows 2000 domains. Maintaining individual two-way trusts between all domains creates a complex administrative nightmare. The use of Kerberos transitive domains cuts down on interdomain administration. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 11-4, Entcert1.com has a trust relationship with Entcert2.com. Entcert2.com has a trust relationship with Entcert3.com. There http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
Kerberos Explained Page 5 of 6 is no trust between Entcert1.com and Entcert3.com. A client from Entcert1.com accessing a service on a server in Entcert3.com would obtain a service ticket through the following steps (the numbers appearing in Figure 4 correspond to the following numbered explanations): 1. Use the TGS service in Entcert1.com to obtain a referral ticket for a KDC in Entcert2.com. 2. Use the referral ticket with the TGS service on the KDC in Entcert2.com and obtain a referral for Entcert3.com. 3. Use the second referral ticket with the TGS service on the KDC for Entcert3.com and obtain a service ticket for the server in Entcert3.com. 4. Use the Client/Server Exchange to open a session with the service in Entcert3.com. 4 Figure 4: Transitive Domain Trusts Delegation with Forwarding and Proxy Some server services require access to a second server, such as a back-end database. In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level. This is common in a three-tier client/server model. This activity is commonly accomplished with proxy or forwarding authentication. Top of page Postscript The authentication process implemented by Kerberos is highly effective, but a few hundred words cannot do the subject justice. That is why I recommend that this article be used as a primer and that you seek more in-depth technical white papers, books or consulting services prior to actual implementation. Once you understand Kerberos and how it can serve both a pure Windows 2000 and mixed operating environment then your investment should pay high dividends. About the Author Mark Walla is senior partner at Enterprise Certified Corp. and can be reached at mwalla@EnterpriseCertified.com5. The company has established a special consulting practice on http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
Kerberos Explained Page 6 of 6 Kerberos and related Windows 2000 security issues. This article is extracted in part from The Ultimate Windows 2000 System Administrator's Guide (Williams & Walla, Addison Wesley 2000) ©Copyright 2000 G Robert Williams We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third- party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only. International rights = English only. Top of page 6 6 Click to order Top of page Links Table 1 http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif 2 http://technet.microsoft.com/en-us/library/Bb742516.kerb02_big(l=en-us).gif 3 http://technet.microsoft.com/en-us/library/Bb742516.kerb03_big(l=en-us).gif 4 http://technet.microsoft.com/en-us/library/Bb742516.kerb04_big(l=en-us).gif 5 mailto:mwalla@enterprisecertified.com 6 http://www.windows2000advantage.com/ Community Content © 2012 Microsoft. All rights reserved. http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012

Recommended

Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
DBNCOET
 
Cued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolCued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocol
IAEME Publication
 
Kerberos
KerberosKerberos
Kerberos
AJINKYA PATIL
 
Ch15
Ch15Ch15
Ch15
raja yasodhar
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
Netwax Lab
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 

Recommended

Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
DBNCOET
 
Cued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolCued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocol
IAEME Publication
 
Kerberos
KerberosKerberos
Kerberos
AJINKYA PATIL
 
Ch15
Ch15Ch15
Ch15
raja yasodhar
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
Netwax Lab
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
J.D. Wade
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
Suraj Singh
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
Mayuri Patil
 
Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
Vertoda System
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
Nexgen Technology
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
Vidulatiwari
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
Shumon Huque
 
Ch14
Ch14Ch14
Ch14
Joe Christensen
 
Identity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computingIdentity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computing
CloudTechnologies
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
Kerberos
KerberosKerberos
Kerberos
Sudeep Shouche
 
Kerberos
KerberosKerberos
Kerberos
Rahul Pundir
 
Identity based encryption with cloud revocation authority and its applications
Identity based encryption with cloud revocation authority and its applicationsIdentity based encryption with cloud revocation authority and its applications
Identity based encryption with cloud revocation authority and its applications
Shakas Technologies
 
Kerberos
KerberosKerberos
Kerberos
Chaitanya Ram
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTINGIDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
Shakas Technologies
 
6- Continuïtat en l'acompanyament. Mercè Riquelme
6- Continuïtat en l'acompanyament. Mercè Riquelme6- Continuïtat en l'acompanyament. Mercè Riquelme
6- Continuïtat en l'acompanyament. Mercè Riquelme
Badalona Serveis Assistencials
 
New York City
New York CityNew York City
New York City
malecka04
 

More Related Content

What's hot

Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
Nexgen Technology
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTINGIDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
Shakas Technologies
 

What's hot (20)

Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Kerberos
KerberosKerberos
Kerberos
 
An Overview of Identity Based Encryption
An Overview of Identity Based EncryptionAn Overview of Identity Based Encryption
An Overview of Identity Based Encryption
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
CISSPills #1.02
CISSPills #1.02CISSPills #1.02
CISSPills #1.02
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Ch14
Ch14Ch14
Ch14
 
Identity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computingIdentity based encryption with outsourced revocation in cloud computing
Identity based encryption with outsourced revocation in cloud computing
 
kerberos
kerberoskerberos
kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Identity based encryption with cloud revocation authority and its applications
Identity based encryption with cloud revocation authority and its applicationsIdentity based encryption with cloud revocation authority and its applications
Identity based encryption with cloud revocation authority and its applications
 
Kerberos
KerberosKerberos
Kerberos
 
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTINGIDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
IDENTITY-BASED ENCRYPTION WITH OUTSOURCED REVOCATION IN CLOUD COMPUTING
 

Viewers also liked

Viewers also liked (7)

6- Continuïtat en l'acompanyament. Mercè Riquelme
6- Continuïtat en l'acompanyament. Mercè Riquelme6- Continuïtat en l'acompanyament. Mercè Riquelme
6- Continuïtat en l'acompanyament. Mercè Riquelme
 
New York City
New York CityNew York City
New York City
 
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.2~技術編~(HatchUp主催 渋谷Facebookアプリ勉強会)
 
Quin és el perfil d'un tutor? Josep-E Baños, rofessor de Medicina i ex vicer...
Quin és el perfil d'un tutor? Josep-E Baños, rofessor de Medicina i ex vicer...Quin és el perfil d'un tutor? Josep-E Baños, rofessor de Medicina i ex vicer...
Quin és el perfil d'un tutor? Josep-E Baños, rofessor de Medicina i ex vicer...
 
Ecological messages
Ecological messagesEcological messages
Ecological messages
 
fb-researchの舞台裏No.1(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.1(HatchUp主催 渋谷Facebookアプリ勉強会)fb-researchの舞台裏No.1(HatchUp主催 渋谷Facebookアプリ勉強会)
fb-researchの舞台裏No.1(HatchUp主催 渋谷Facebookアプリ勉強会)
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to Technet.microsoft.com

Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
Shashwat Shriparv
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
J.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010
J.D. Wade
 
Asymmetric cryptography
Asymmetric cryptographyAsymmetric cryptography
Asymmetric cryptography
Service_supportAssignment
 

Similar to Technet.microsoft.com (20)

Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010
 
IRJET- Internal Security in Metropolitan Area Network using Kerberos
IRJET- Internal Security in Metropolitan Area Network using KerberosIRJET- Internal Security in Metropolitan Area Network using Kerberos
IRJET- Internal Security in Metropolitan Area Network using Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain Persistence
 
Null talk
Null talkNull talk
Null talk
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
50120130406006
5012013040600650120130406006
50120130406006
 
Asymmetric cryptography
Asymmetric cryptographyAsymmetric cryptography
Asymmetric cryptography
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Azure applications performance checklist
Azure applications performance checklistAzure applications performance checklist
Azure applications performance checklist
 
Message queuing telemetry transport (mqtt) id and other type parameters
Message queuing telemetry transport (mqtt) id and other type parametersMessage queuing telemetry transport (mqtt) id and other type parameters
Message queuing telemetry transport (mqtt) id and other type parameters
 
Introducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and PerformanceIntroducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and Performance
 

Recently uploaded

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 

Technet.microsoft.com

  • 1. Kerberos Explained Page 1 of 6 Kerberos Explained By Mark Walla Article from the May 2000 issue of Windows 2000 Advantage magazine Although this article is billed as a primer to Kerberos authentication, it is a high technical review. Kerberos is an integral part of Windows 2000 Active Directory implementations, and anyone planning to deploy and maintain a Windows 2000 enterprise must have a working knowledge of the principals and administrative issues involved in this front-line security technology. Since many other operating system vendors are also adopting this MIT-developed authentication protocol, Kerberos Version 5 will increasingly become a centerpiece of enterprise-level interoperability. Kerberos provides secure user authentication with an industry standard that permits interoperability. The Active Directory domain controller maintains user account and log- in information to support the Kerberos service. The process of authenticating the identity of users during log-in is the first step in gaining system access. For local machines that aren't actively participating in a domain, Windows NT LAN Manager protocol is still utilized to verify a user's name and password before granting system access. However, in domain environments, Microsoft has coupled Active Directory closely with Kerberos. Once access is granted, tickets that permit specific access to other system resources within the domain are exchanged. On This Page Kerberos 101 Understanding Kerberos concepts Further Clarification of the Log-in Process Postscript Kerberos 101 Underlying Windows 2000 security is the concept of user authentication. The centralized account management supported by Active Directory Services requires a corresponding authentication protocol for network log-on. Based on RFC 1510, the Kerberos Version 5 protocol provides enhanced authentication for the distributed computing environment and standardization to interoperate with other operating systems. Defaulting to Kerberos NT LAN Manager is the authentication protocol used in Windows NT and in Windows 2000 work group environments. It is also employed in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. At the stage Windows 2000 is converted to native mode where no down-level Windows NT domain controllers exist, NT LAN Manager is disabled. Kerberos then becomes the default authentication technology for the enterprise. Top of page Understanding Kerberos concepts Kerberos Version 5 is standard on all versions of Windows 2000 and ensures the highest level of security to network resources. The Kerberos protocol name is based on the three- headed dog figure from Greek mythology known as Kerberos. The three heads of Kerberos comprise the Key Distribution Center (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). As exemplified in Figure 1, three exchanges are involved when the client initially accesses a server resource: http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
  • 2. Kerberos Explained Page 2 of 6 1. AS Exchange 2. TGS Exchange 3. Client/Server (CS) Exchange 1 Figure 1: Let's take a closer look at this exchange process and its component parts. AS Exchange When initially logging on to a network, users must negotiate access by providing a log-in name and password in order to be verified by the AS portion of a KDC within their domain. The KDC has access to Active Directory user account information. Once successfully authenticated, the user is granted a Ticket to Get Tickets (TGT) that is valid for the local domain. The TGT has a default lifetime of 10 hours and may be renewed throughout the user's log-on session without requiring the user to re-enter his password. The TGT is cached on the local machine in volatile memory space and used to request sessions with services throughout the network. The following is a discussion of the TGT retrieval process. Example AS Administration The AS request identifies the client to the KDC in plain text. If preauthentication is enabled, a time stamp will be encrypted using the user's password hash as an encryption key. If the KDC reads a valid time when using the user's password hash (stored in the Active Directory) to decrypt the time stamp, the KDC knows that request isn't a replay of a previous request. The preauthentication feature may be disabled for specific users in order to support some applications that don't support the security feature. Access the user account from the Active Directory users and the computers will snap-in and select the account tab. From the account options: slide window, check mark the "Do not require Kerberos" preauthentication option (Figure 2). http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
  • 3. Kerberos Explained Page 3 of 6 2 Figure 2: Disable Kerberos Preauthentication If the KDC approves the client's request for a TGT, the reply (referred to as the AS reply) will include two sections: a TGT encrypted with a key that only the KDC (TGS) can decrypt and a session key encrypted with the user's password hash to handle future communications with the KDC. Because the client system cannot read the TGT contents, it must blindly present the ticket to the TGS for service tickets. The TGT includes time to live parameters, authorization data, a session key to use when communicating with the client and the client's name. TGS Exchange The user presents the TGT to the TGS portion of the KDC when desiring access to a server service. The TGS on the KDC authenticates the user's TGT and creates a ticket and session key for both the client and the remote server. This information, known as the service ticket, is then cached locally on the client machine. The TGS receives the client's TGT and reads it using its own key. If the TGS approves of the client's request, a service ticket is generated for both the client and the target server. The client reads its portion using the TGS session key retrieved earlier from the AS reply. The client presents the server portion of the TGS reply to the target server in the client/server exchange coming next. Client/Server Exchange Once the client user has the client/server service ticket, he can establish the session with the server service. The server can decrypt the information coming indirectly from the TGS using its own long-term key with the KDC. The service ticket is then used to authenticate the client user and establish a service session between the server and client. After the ticket's lifetime is exceeded, the service ticket must be renewed to use the service. Client/Server Exchange Detail The client blindly passes the server portion of the service ticket to the server in the client/server request to establish a client/server session. If mutual authentication is enabled, the target http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
  • 4. Kerberos Explained Page 4 of 6 server returns a time stamp encrypted using the service ticket session key. If the time stamp decrypts correctly, not only has the client authenticated himself to the server, but the server also has authenticated itself to the client. The target server never has to directly communicate with the KDC. This reduces downtime and pressure on the KDC. Top of page Further Clarification of the Log-in Process A TGT and a service ticket are needed to access services on remote computers, but they are also required to successfully log on to a local system. When the log-on window appears, password encryption using a one-way hash algorithm occurs immediately and negotiations commence with the KDC for a valid TGT and service ticket. The process is the same as accessing a remote service. An access token is created for the user containing all security groups to which they belong. This access token is attached to the user's log-on session and is subsequently inherited by any process or application the user starts. Referral Tickets The AS and TGS functions are separate within the KDC. This permits the user to use the TGT obtained from an AS in his domain to obtain service tickets from a TGS in other domains. This is accomplished through referral tickets. Once a trust has been established between two domains, referral tickets can be granted to clients requesting authorization for services in other domains. When there is a trust established between the two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 3, a user client in Entcert1.com requests authority for a server in Entcert2.com. He utilizes referral tickets. The numbers in Figure 3 correspond to the following numbered explanations: 1. The client contacts its domain KDC TGS using a TGT. The KDC recognizes a request for a session with a foreign domain server and responds by returning a referral ticket for the KDC in the foreign domain. 2. The client contacts the KDC of the foreign domain with the referral ticket. This ticket is encrypted with the interdomain key. Given that the decryption works, the TGS service for the foreign domain returns a service ticket for the server service in Entcert2.com. 3. The client performs the client/server exchange with the server and begins the user session with the service. 3 Figure 3: Domain Referrals When more domains are involved, the referral process extends and involves the transitive properties between Windows 2000 domains. Maintaining individual two-way trusts between all domains creates a complex administrative nightmare. The use of Kerberos transitive domains cuts down on interdomain administration. This can best be explained by example of a user/client seeking services in another domain. As illustrated in Figure 11-4, Entcert1.com has a trust relationship with Entcert2.com. Entcert2.com has a trust relationship with Entcert3.com. There http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
  • 5. Kerberos Explained Page 5 of 6 is no trust between Entcert1.com and Entcert3.com. A client from Entcert1.com accessing a service on a server in Entcert3.com would obtain a service ticket through the following steps (the numbers appearing in Figure 4 correspond to the following numbered explanations): 1. Use the TGS service in Entcert1.com to obtain a referral ticket for a KDC in Entcert2.com. 2. Use the referral ticket with the TGS service on the KDC in Entcert2.com and obtain a referral for Entcert3.com. 3. Use the second referral ticket with the TGS service on the KDC for Entcert3.com and obtain a service ticket for the server in Entcert3.com. 4. Use the Client/Server Exchange to open a session with the service in Entcert3.com. 4 Figure 4: Transitive Domain Trusts Delegation with Forwarding and Proxy Some server services require access to a second server, such as a back-end database. In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level. This is common in a three-tier client/server model. This activity is commonly accomplished with proxy or forwarding authentication. Top of page Postscript The authentication process implemented by Kerberos is highly effective, but a few hundred words cannot do the subject justice. That is why I recommend that this article be used as a primer and that you seek more in-depth technical white papers, books or consulting services prior to actual implementation. Once you understand Kerberos and how it can serve both a pure Windows 2000 and mixed operating environment then your investment should pay high dividends. About the Author Mark Walla is senior partner at Enterprise Certified Corp. and can be reached at mwalla@EnterpriseCertified.com5. The company has established a special consulting practice on http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012
  • 6. Kerberos Explained Page 6 of 6 Kerberos and related Windows 2000 security issues. This article is extracted in part from The Ultimate Windows 2000 System Administrator's Guide (Williams & Walla, Addison Wesley 2000) ©Copyright 2000 G Robert Williams We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third- party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice. International rights = English only. International rights = English only. Top of page 6 6 Click to order Top of page Links Table 1 http://technet.microsoft.com/en-us/library/Bb742516.kerb01_big(l=en-us).gif 2 http://technet.microsoft.com/en-us/library/Bb742516.kerb02_big(l=en-us).gif 3 http://technet.microsoft.com/en-us/library/Bb742516.kerb03_big(l=en-us).gif 4 http://technet.microsoft.com/en-us/library/Bb742516.kerb04_big(l=en-us).gif 5 mailto:mwalla@enterprisecertified.com 6 http://www.windows2000advantage.com/ Community Content © 2012 Microsoft. All rights reserved. http://technet.microsoft.com/en-us/library/Bb742516(d=printer) 23.02.2012