http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspxHi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authenticationen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#2971450Fri, 07 Mar 2008 06:59:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2971450sunilnair4u<p>Very well written, concise article for an admin. Thanks Rob!</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#2974998Fri, 07 Mar 2008 23:32:42 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2974998Scharique<p>Very informative article. It just so happen that I had an infamous Event ID 4 Kerberos error on one of my DC yesterday and I was looking up for all the basics/advanced bits of Kerberos. Thanks</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3055146Wed, 14 May 2008 19:49:15 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3055146Ask the Directory Services Team<p>Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3062847Thu, 29 May 2008 20:50:26 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3062847Ask the Directory Services Team<p>Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3069595Wed, 11 Jun 2008 21:30:32 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3069595Ask the Directory Services Team<p>Now we have seen what it looks like when there is no Service Principal Name defined , and when the Service</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3070541Fri, 13 Jun 2008 20:13:41 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3070541Ask the Directory Services Team<p>Hi, Steve here. Kerberos Double Hop is a term used to describe our method of maintaining the client's</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3073460Wed, 18 Jun 2008 15:32:59 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3073460Matt Johnson's Technical Adventures<p>To DEP or not to DEP – A good post on DEP from the Performance Team Windows XP era draws to a close –</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3081538Tue, 01 Jul 2008 11:48:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3081538JMRoderick<p>If a user account is disabled after is has been granted &nbsp;a ticket to access, say, a file on a file server, what happens? &nbsp;Is access revoked immediately or not until the ticket expires (which could be 10 hours time)?</p> <p>Thanks.</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3081686Tue, 01 Jul 2008 16:26:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3081686NedPyle<p>The user will still have access until the TGT expires. In this scenario where a user is (presumably) being terminated, they should be logged off of their workstation to destroy any existing kerberos tickets. If the environment is high security and needs an even faster turnaround time, Smart Cards should be used instead - in that case the smart card certificate for that user should be revoked in order to get instant gratification.</p> <p>- Ned</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3111862Tue, 26 Aug 2008 06:44:35 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3111862robert5150<p>Hey Guys, </p> <p>I am unclear on what this means: </p> <p>The KDC then creates the service ticket with the following information within it: </p> <p>&quot;&quot;Once the service ticket information is compiled the entire service ticket is encrypted with the Services User Key (password hash). &quot;&quot;</p> <p>Please Advise... </p> <p>Thnak You</p> <p>Robert</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3111870Tue, 26 Aug 2008 07:03:09 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3111870robert5150<p>Another question.... </p> <p>What is the difference between a session key and a TGT? I though that once you had a TGT you basically</p> <p>had a session key? </p> <p>I thought they were the same... </p> <p>Thanks... </p> <p>Robert </p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3112831Wed, 27 Aug 2008 18:35:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3112831Rob Greene<p>Hey Robert,</p> <p>So lets see if I can answer both your questions.</p> <p>&quot;Once the service ticket information is compiled the entire service ticket is encrypted with the Services User Key (password hash).&quot;</p> <p>This means that the KDC is going to encrypt the Service Ticket with the services password that has to decrypt the ticket.</p> <p>So in a scenario, you want to access a UNC file share. &nbsp;The KDC is going to encrypt the TGS with the File Servers Password hash. &nbsp;Keep in mind that the TGS is not consumed by you or the machine you are logged onto. &nbsp;The TGS is consumed by the resource you are attempting to authenticate to. &nbsp;In this example the file server machine password since the Server services runs as LocalSystem.</p> <p>Session keys:</p> <p>Session keys are used between the systems to typically to encrypt the data. &nbsp;So when we are talking about a session key for the TGT. &nbsp;The client encrypts data for use by the KDC using the Session key. &nbsp;A copy of the session key is stored in the TGT that only the KDC can decrypt. &nbsp;Once the KDC can decrypt the TGT he has access to the session key and can therefore decyrpt the other encrypted data from the client.</p> <p>You have the same concept of this with Service Tickets. &nbsp;</p> <p>from the blog: &nbsp;&quot;The TGS generates a Unique Service Session Key. This session key is going to be used by the principal and service.&quot;</p> <p>Most of the time when you are working with Kerberos Authentication you do not need to be overly concerned about session keys. &nbsp;Thats why it is covered here down in the lower bullets. &nbsp;</p> <p>I hope that I have been able to answer your questions Robert.</p> <p>Rob Greene</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3139566Tue, 21 Oct 2008 08:39:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3139566Mirrored Blogs<p>A Very Fast Method to Get the Site Collection&amp;rsquo;s Web Structure &amp;laquo; SharePoint Internals - Hristo</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3156580Thu, 20 Nov 2008 00:54:02 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3156580Ask the Directory Services Team<p>We’ve been at this for over a year (since August 2007), with more than 100 posts (127 to be exact), so</p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3185424Mon, 19 Jan 2009 00:00:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3185424SharePoint Thinks, Links and Clinks<p>&amp;#160; Kerberos for the busy admin <a rel="nofollow" target="_new" href="http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx">http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx</a></p> http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx#3194823Fri, 30 Jan 2009 17:15:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3194823Ask the Directory Services Team<p>Hi, Steve again. I thought I would speak through a series of posts about what knowledge is critical to</p>