Upload
joanna-reynolds
View
216
Download
0
Embed Size (px)
DESCRIPTION
What is NT Kerberos NT’s new authentication system MIT Kerberos v5 - an Open Standard Kerberos is the default authenticator in W2K domains NTLM still used for compatibility –usually the weakest version
Citation preview
Active Directory and
NT Kerberos
Introduction to NT Kerberos v5
• What is NT Kerberos?• How is it different from NTLM• NT Kerberos vs MIT Kerberos• Delegation and Client Authentication• What does NT Kerberos look like on the wire?• KTNet - A native NT Kerberos telnet server
What is NT Kerberos
• NT’s new authentication system• MIT Kerberos v5 - an Open Standard• Kerberos is the default authenticator in W2K
domains• NTLM still used for compatibility
– usually the weakest version
How is it different from NTLM
• Doesn’t use a password hash system• Requires fewer authentication calls• More sophisticated - Yes• More secure? - Possibly in pure mode
– Backwards compatibility hinders it– NTLM v2 is strong in pure mode as well
NT Kerberos
• Integrated with platform• Locates KDC via DNS - DNS server required for install• No support for DCE style cross-realm trust• No “raw” krb5 API• Postdated tickets (not implemented)• Uses authdata field in ticket
Windows 2000 Kerberos standards
• RFC-1510• Kerberos change password protocol Kerberos
set password protocolRC4-HMAC Kerberos Encryption type
• PKINIT
Kerberos Interoperability Scenarios
• Kerberos clients in a Win2000 domain• Kerberos servers in a Win2000 domain• Standalone Win2000 systems in a Kerberos
realm• Using a Kerberos realm as a resource domain• Using a Kerberos realm as an account domain
MIT Kerberos Differences
Win2000• Clients
– Just logon– Just logoff– Domain membership– Example app: everything
• Servers– Use computer account
via SCM
MIT Clients
User logon with ‘kinit’ User logoff with
‘kdestroy’ Configured with
/etc/krb5.conf Example app: telnet
Servers Do not logon – use
saved keys from keytab
Using Kerberos clients
Customer wants to have its non-windows Kerberos users use their Win2000 accounts
Setup the /etc/krb5.conf Users kinit with their
Win2000 account
Windows 2000 Server
nt.company.com
Unix workstation
Using Kerberos servers
Customer wants to user their Kerberos enabled database server in an n-tier application front-ended by IIS
/etc/krb5.conf on database server
Create service account in domain
Use ktpass to export a keytab
Copy keytab to database server
IIS server is trusted for delegation
nt.company.com
Windows 2000 IIS Server
Unix Database Server
Windows 2000 Wks
Kerberos realm as an account domain• User logon with Kerberos principal• User has shadow account in an account domain (for
applying authz)• Mapping is used at logon for domain identity
MIT.REALM.COM win2k.domain.com
Domain trusts realm users
Standalone Win2000 computers
An employee has a Win2000 computer that they want to use in a Kerberos realm
Configure system as standalone (no domain)
Use Ksetup to configure the realm
Use Ksetup to establish the local account mapping
Logon to Kerberos realmWin2000
Linux/Unix
MIT.REALM.COM
Trusting a Kerberos realm
• Win2000 users accessing services in Kerberos realms
• Kerberos users accessing services in domains
Domain
Domain Domain
Domain
Explicit Windows NT 4.0-style trust
Domain
microsoft.com
europe. microsoft. com
Kerberos trust
fareast. microsoft. com
Windows 2000 Domain TrustsExplicit Kerberos trust
Shortcut trust
Kerberos realm
Cross-domain Authentication
Windows 2000 Professional Windows 2000 Server
west.company.com east.company.com
company.com
KDC KDC
11TGTTGT
22TGTTGT 33
TGTTGT
44TICKETTICKET
srv1.east.company.com
Using Unix KDCs with Windows 2000 Authorization
Win2000 Professional Windows 2000 Server
COMPANY.REALM nt.company.com
MITKDC
Windows 2000KDC
1TGT
2TGT
Name Mapping to NT account
3TICKET
4TICKET
With NT Auth Data
NT Kerberos vs MIT Kerberos
• NT caches the password for ticket renewal• It’s not certain whether NT uses ticket caching
tracking stolen ‘replay’ tickets
Kerberos v5 Ticket Details
Delegation and Client Authentication