Kerberos demystified

tkarch — Mon, 19 Mar 2007 18:05:00 GMT

There is already quite a lot of documentation and books on Kerberos out there. Here I just wanted to compile the Information I typically need myself to do my daily business. Very good in-depth Information can be found here:

How the Kerberos Version 5 Authentication Protocol Works

http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f281033.mspx?mfr=true

Kerberos Explained

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx

What's New in Windows Server 2003 Kerberos Authentication?

http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/kerberos.mspx

Kerberos Authentication in Windows Server 2003

http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerberos/default.mspx

Well, there is a lot of strange perception on the Kerberos protocol in the market. It does not do wonders. It does authentication. Other – older - players in this field are NTLM (LM, NTLM, NTLMv2) , SSL and Digest. The current Version is Version 5, but no other Version has gained broad acceptance in the market. Kerberos is the standard authentication protocol in Microsoft environments since Windows 2000.

Kerberos is based on the Needham-Schroeder protocol. Just in case you want to read this up. And leverages symmetric keys. So no PKI or anything is needed. The Needham-Schroeder protocol defines three participants in the protocol exchange: a client machine, a server that the client wishes to access, and an authentication server.

The client is any machine that requests authentication; usually, it's a user's personal desktop. The server is any application server, say a mail server, which provides a service the client wishes to contact. Finally, the authentication server is a dedicated server that holds a copy of the encryption keys for all users and servers on the network (the "trusted third-party").

The first thing the client does is to request a TGT (ticket granting ticket) from the KDC (Kerberos Distribution Center). After that some negotiation goes on that is beyond the scope of this blog.

Limitations

In the NT4 days NTLM protocol was used for authentication. Still there are a lot of scenarios and applications that rely on NTLM today. E.g. if you access a resource via IP Address \\10.10.10.10 – this forces NTLM.

You also cannot use Kerberos over the Internet because it would require a KDC/DC on the Internet to contact. This would not be available unless you placed your domain controllers on the Internet. Nobody does this because it would likely lead to the Domain being compromised. The only way to get a Kerberos login from an Internet source is to do a protocol transition from Basic or NTLM to Kerberos. If you use an external trust NTLM is used as authentication protocol, no Kerberos involved. Kerberos authentication only works if the trust type is “Forest Trust” and it does work seamlessly with other domains part of the trusted forest.

“Access to resources between domains that are connected by an external trust require Pre-Windows 2000 Compatibility. Because external trusts only support NTLM authentication, queries to a directory in a different forest are always handled as anonymous access.”

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/part1/adsecp1.mspx

Ultimately NTLM will be phased out, sooner or – probably – later.

Hm, is it ethical to update a Blog post? I will try to improve the entry as I learn new things in the mysterious world of IT...

Thomas Karch Weblog : Kerberos

Kerberos demystified