Active Directory and

NT Kerberos

Introduction to NT Kerberos v5

• What is NT Kerberos?• How is it different from NTLM• NT Kerberos vs MIT Kerberos• Delegation and Client Authentication• What does NT Kerberos look like on the wire?• KTNet - A native NT Kerberos telnet server

What is NT Kerberos

• NT’s new authentication system• MIT Kerberos v5 - an Open Standard• Kerberos is the default authenticator in W2K

domains• NTLM still used for compatibility

– usually the weakest version

How is it different from NTLM

• Doesn’t use a password hash system• Requires fewer authentication calls• More sophisticated - Yes• More secure? - Possibly in pure mode

– Backwards compatibility hinders it– NTLM v2 is strong in pure mode as well

NT Kerberos

• Integrated with platform• Locates KDC via DNS - DNS server required for install• No support for DCE style cross-realm trust• No “raw” krb5 API• Postdated tickets (not implemented)• Uses authdata field in ticket

Windows 2000 Kerberos standards

• RFC-1510• Kerberos change password protocol Kerberos

set password protocolRC4-HMAC Kerberos Encryption type

• PKINIT

Kerberos Interoperability Scenarios

• Kerberos clients in a Win2000 domain• Kerberos servers in a Win2000 domain• Standalone Win2000 systems in a Kerberos

realm• Using a Kerberos realm as a resource domain• Using a Kerberos realm as an account domain

MIT Kerberos Differences

Win2000• Clients

– Just logon– Just logoff– Domain membership– Example app: everything

• Servers– Use computer account

via SCM

MIT Clients

User logon with ‘kinit’ User logoff with

‘kdestroy’ Configured with

/etc/krb5.conf Example app: telnet

Servers Do not logon – use

saved keys from keytab

Using Kerberos clients

Customer wants to have its non-windows Kerberos users use their Win2000 accounts

Setup the /etc/krb5.conf Users kinit with their

Win2000 account

Windows 2000 Server

nt.company.com

Unix workstation

Using Kerberos servers

Customer wants to user their Kerberos enabled database server in an n-tier application front-ended by IIS

/etc/krb5.conf on database server

Create service account in domain

Use ktpass to export a keytab

Copy keytab to database server

IIS server is trusted for delegation

nt.company.com

Windows 2000 IIS Server

Unix Database Server

Windows 2000 Wks

Kerberos realm as an account domain• User logon with Kerberos principal• User has shadow account in an account domain (for

applying authz)• Mapping is used at logon for domain identity

User@MIT.REALM.COM

MIT.REALM.COM win2k.domain.com

Domain trusts realm users

comp$@win2k.domain.com

user@win2k.domain.com (user@MIT.REALM.COM)

Standalone Win2000 computers

An employee has a Win2000 computer that they want to use in a Kerberos realm

Configure system as standalone (no domain)

Use Ksetup to configure the realm

Use Ksetup to establish the local account mapping

Logon to Kerberos realmWin2000

Linux/Unix

MIT.REALM.COM

Trusting a Kerberos realm

• Win2000 users accessing services in Kerberos realms

• Kerberos users accessing services in domains

Domain

Domain Domain

Domain

Explicit Windows NT 4.0-style trust

Domain

microsoft.com

europe. microsoft. com

Kerberos trust

fareast. microsoft. com

Windows 2000 Domain TrustsExplicit Kerberos trust

Shortcut trust

Kerberos realm

Cross-domain Authentication

Windows 2000 Professional Windows 2000 Server

west.company.com east.company.com

company.com

KDC KDC

11TGTTGT

22TGTTGT 33

TGTTGT

44TICKETTICKET

srv1.east.company.com

Using Unix KDCs with Windows 2000 Authorization

Win2000 Professional Windows 2000 Server

COMPANY.REALM nt.company.com

MITKDC

Windows 2000KDC

1TGT

2TGT

Name Mapping to NT account

3TICKET

4TICKET

With NT Auth Data

NT Kerberos vs MIT Kerberos

• NT caches the password for ticket renewal• It’s not certain whether NT uses ticket caching

tracking stolen ‘replay’ tickets

Kerberos v5 Ticket Details

Delegation and Client Authentication