Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kerberos Authentication Process In Windows


Published on

Kerberos Authentication Process In Windows

  1. 1. Kerberos Authentication Process In Windows
  2. 2. Kerberos• Developed at M.I.T. in 1980.• Greek Mythology: 3 headed dog.• 3 “heads” — a client, a server, and a trusted third party that mediates between the other two.• A secret key based service for providing authentication in open networks.• Authentication mediated by a trusted 3rd party on the network: – Key Distribution Center (KDC)• Kerberos Version 5
  3. 3. Firewall v/s Kerberos• Firewall – Assume that "the bad guys" are on the outside. – Bur real treat is from insiders.• Kerberos – Assumes that network connections are the weak link in network security. – Strong authentication compared to firewalls.
  4. 4. Authentication?• Verifying someone’s identity• Types of Authentication: 1) Password Based 2) Cryptographic
  5. 5. Cryptographic Authentication• No password over the Network.• User Identification done by a cryptographic operation based on: – Quantity supplied by the server – user’s secret key
  6. 6. Encryption and Decryption• Encryption- • Source • Data + Cipher text = Encryption• Decryption- • Destination • Decipher text - Data = Decryption
  7. 7. Symmetric Key Cryptography• Secret Key cryptography• Same key .• Algorithms: DES, 3-DES, AES
  8. 8. Asymmetric Key Cryptography• Public key cryptography• A pair of related keys are used: – Public and Private keys.• Data encrypted with one can only be decrypted with the other• Usually, a user publishes his public key widely – Others use it to encrypt data intended for the user – User decrypts using the private key (known only to him)• Algorithm: RSA
  9. 9. Key Distribution Center (KDC)• Implemented as a domain service• Active Directory for database• Global Catalog for directing referrals to KDCs in other domains.• Uses certificates to encrypt communication between client and KDC.
  10. 10. Key Distribution Center (KDC)Types Of Keys Used• Long-Term Symmetric Keys: User, System, Service, and Inter-realm Keys• Long-Term Asymmetric Keys: Public Key• Short-Term Symmetric Keys: Session Keys
  11. 11. Key Distribution Center (KDC)• Authentication Service (AS)• Ticket-Granting Service (TGS)
  12. 12. Key Distribution Center (KDC)
  13. 13. Key Distribution Center (KDC)
  14. 14. Common Issues• Infrastructure Required: – Active Directory – TCP/IP Network Connectivity – Domain Name System – Time Service – Operating System
  15. 15. Common Issues• Console logon, Network logon, access to network resources, or remote access• How to identify if issues is related to Kerberos? – Event log : System , Security – Source: Kerberos, KDC, LsaSrv, or Netlogon
  16. 16. Common Issues1) Time Synchronization (Clock Skew) – 0x25: KRB_AP_ERR_SKEW: Clock Skew too great
  17. 17. Common Issues2) UDP Fragmentation
  18. 18. Common Issues3) Group Membership Overloads PAC – 0x3C - KRB_ERR_GENERIC: Generic error
  19. 19. Common Issues• 4) Need an SPN Set – KDC_ERR_C_PRINCIPAL_UNKNOWN
  20. 20. Thank You