Windows 2003 Support

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 9 September 2007

How Kerberos authentication works?

Posted on 11:41 by Unknown
The Kerberos Authentication Process
The Kerberos protocol gets its name from the three-headed dog in Greek mythology. The three components of Kerberos are:
· The client requesting services or authentication.
· The server hosting the services requested by the client.
· A computer that is trusted by the client and server (in this case, a Windows Server 2003 domain controller running the Kerberos Key Distribution Center service).
Kerberos authentication is based on specially formatted data packets known as tickets. In Kerberos, these tickets pass through the network instead of passwords. Transmitting tickets instead of passwords makes the authentication process more resistant to attackers who can intercept the network traffic.
Key Distribution Center
The Key Distribution Center (KDC) maintains a database of account information for all security principals in the domain. The KDC stores a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long term key. The long term key is derived from a user's logon password.
Kerberos authentication process
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
1. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm.
2. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.
Note:
Kerberos implements secret key cryptography, which is different from public key cryptography in that it does not use a public and private key pair.
3. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
Important:

When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed.
4. When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA.
5. Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate.
6. The KDC takes the server's ticket and encrypts it using the server master key (KB). Then the KDC nests the server's ticket inside the client's ticket, which also contains the KAB. The KDC encrypts the whole thing using the session key that it shares with the user from the logon process. The KDC then sends all the information to the user.
7. When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server's ticket. The user cannot read the server's ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server's ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Active Directory Inside Out 10 Hrs of CBT
    TechNet Webcast: Active Directory Fundamentals—Level 200 Event Overview Do you want to get a better understanding of the basic concep...
  • What are Preliminary AD DS Installation Steps and what all commands are available to upgrade the Forest schema to accept Windows server 2008?
    For new Forest: . Strong password. . Correct Network settings. . Latest Security updates. For Existing Forest: . Extend Schema using adprep...
  • How are Fine grained password Policies are stored in Windows server 2008? What are different objects associated with it?
    To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services schema:...
  • What is Well known Security principal?
    Well-Known Security Principals The term well-known security principal refers to fixed accounts that are somewhat like users or groups. Howev...
  • What is access token and how it is used?
    Access Tokens An access token describes the security context of a process. When the process tries to perform various operations in the compu...
  • Steps to create a Clone of Domain Controller in Windows 2012
    1) Make sure your hypervisor generates VM-Generation-ID.  2) Make sure your PDC FSMO runs on Windows 2012.             BTW you cannot clon...
  • How is Kerberos used while accessing file share on the network? What is the background processing involved in it?
    When user is already logged onto a domain and wants to access a resource located on a server within the same domain, a network logon process...
  • What are the new features in Windows 2012 Active Directory
    All the new features of Windows 2012 Active Directory are given below. You can use Active Directory Domain Services (AD DS) in Windows Serve...
  • What are the improvements introduced in AD Directory Domain Service Installation wizard?
    Active Directory Domain Services Installation Wizard New Wizard Page Description Additional optio...
  • How do we login in domain and what happens in the background at time of logon
    How does authentication and authoriztion happens in active directory? Everything starts when User presses Ctrl+Alt+Del and User chooses to l...

Categories

  • Active Directory Recycle bin
  • AD replication
  • Advance audit policy settings
  • Advance Audit policy settings in Windows 2008 and Windows 7.
  • Advanced Audit policy settings
  • Burflags registry Key
  • Clone Windows 2012 DC
  • Cloning Domain Controller Windows 2012 Active Directory
  • D2
  • D4
  • DCPROMO
  • domain functional levels
  • Forest functional levels
  • Group Policy preference
  • Group policy preferences in Windows 2008
  • how to rebuild sysvol
  • Journal Wrap
  • Managed service accounts in Windows 2008 R2
  • Metadata cleanup
  • NTLM Blocker
  • NTLM Blocker in Windows 2008
  • Recycle bin and Active Directory
  • Recycle Bin GUI in windows 2012
  • Recycle Bin in Windows 2008 R2
  • Recycle Bin in Windows 2012
  • Rolling back forest functional level of Windows 2008.
  • steps to clone Windows 2012 DC
  • Troubleshooting Journal Wrap
  • Upgrade Windows 2003 domain Controller to Windows 2012 Domain Controller
  • Upgrade Windows 2003 Server to windows 2012 Server
  • Upgrading domain functional level
  • upgrading forest functional level
  • USN rollback
  • Windows 2003 AD upgrade to Windows 2012 AD

Blog Archive

  • ►  2013 (1)
    • ►  January (1)
  • ►  2012 (6)
    • ►  August (1)
    • ►  February (5)
  • ►  2011 (3)
    • ►  March (3)
  • ►  2009 (2)
    • ►  November (1)
    • ►  August (1)
  • ►  2008 (1)
    • ►  May (1)
  • ▼  2007 (28)
    • ►  November (2)
    • ►  October (2)
    • ▼  September (24)
      • What is anonymous authentication and what are the ...
      • What are different group policies related to kerbe...
      • How Kerberos authentication works?
      • Please explain us the NTLM Authentication process?
      • What are new features introduced in Windows 2008 d...
      • What are different Authentication Protocols availa...
      • What are the improvements introduced in AD Directo...
      • What are the improvements introduced in AD Directo...
      • What is Active Directory object quota? How can you...
      • How do you Define the Scope of Fine-Grained Passwo...
      • What is AdminSDHolder Object and how admincount at...
      • How are Fine grained password Policies are stored ...
      • What is Well known Security principal?
      • What is BitLocker? How does it work?
      • What is access token and how it is used?
      • What are Fine-Grained Password Policies in Longhor...
      • What are the new features of Windows server 2008 v...
      • What are the core components of Windows Security S...
      • How is Kerberos used while accessing file share on...
      • How do we login in domain and what happens in the ...
      • What is restartable feature of AD DS?
      • What are Preliminary AD DS Installation Steps and ...
      • What are the events that trigger Urgent Replication?
      • What is prerequisites for deploying an RODC in you...
Powered by Blogger.

About Me

Unknown
View my complete profile