Uses of kerberos?
Jonathan Wackley
jwackley at legato.com
Wed Apr 24 16:00:17 EDT 2002
I thought that Micro$oft Kerberos is included in Win2000 and above. It may be
a downloadable package, I'm not sure, I've not had to install it. MIT Kerberos
is an add on that does not ship as part of the stock OS. I just saw a note
that MIT Kerberos ships with NetBSD if I'm not mistaken. Not sure about the
interoperability first hand, but in theory they should be compatible (with a
little work) as they should conform to standard RFC 1510. In the UNIX world,
there is SEAM (Solaris Enterprise authentication manager) on Solaris and DCE
(Distributed Computing Environment) for IBM, linux installations use MIT. I've
tested these installations with gssapi and for the most part they are
compatible. It is interesting to note that IBM does not license their Kerberos
solution directly, it is licensed as part of DCE. Here is a discussion about
Kerberos Components in Win2000;
from
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dscd_aun_ctig.htm
Kerberos Components in Windows 2000
Windows 2000 implements the KDC as a domain service. It uses Active Directory
as its account database and gets additional information about security
principals from
the Global Catalog.
As in other implementations of the Kerberos protocol, the KDC is a single
process that provides two services.
Authentication Service The authentication service issues TGTs that are good
for admission to the ticket-granting service in its domain. Before network
clients can get tickets for services, they must
obtain a TGT from the authentication service in the user's account domain.
Ticket-Granting Service The ticket-granting service issues tickets that are
good for admission to other services in its own domain or for admission to the
ticket-granting service of a trusted
domain. When clients want access to a service, they must contact the
ticket-granting service in the service's account domain, present a TGT, and ask
for a session ticket. If the client does not have a
TGT for admission to the ticket-granting service in the other domain, it must
obtain one through the referral process that begins at the ticket-granting
service in the user's account domain and ends at
the ticket-granting service in the service's account domain.
The KDC is located on every domain controller, as is the Active Directory
service. Both services are started automatically by the domain controller's
Local Security Authority (LSA) and run in the
process space of the LSA. Neither service can be stopped. Windows 2000 ensures
availability of these services by allowing each domain to have several domain
controllers, all peers. Any domain
controller can accept authentication requests and ticket-granting requests
addressed to the domain's KDC.
The security principal name used by the KDC in all Windows 2000 domains is
krbtgt, as specified by RFC 1510. An account for this security principal is
created automatically when a new
Windows 2000 domain is created. The account cannot be deleted, nor can the
account name be changed. A password is assigned to the KDC's account
automatically; this password, like the passwords
assigned to domain trust accounts, is changed on a regular schedule. The
password for the KDC's account is used to derive a secret key for encrypting
and decrypting the TGTs that the KDC issues.
The password for a domain trust account is used to derive a Kerberos
inter-realm key for encrypting and decrypting referral tickets.
All instances of the KDC in a domain use the domain account for the security
principal krbtgt. Clients address messages to a domain's KDC by including both
the service's principal name (krbtgt) and
the name of the domain. Both items of information are also used in tickets to
identify the issuing authority.
© 1985-2001 Microsoft Corporation. All rights reserved.
Thanks,
jonw
Klingon wrote:
> But as I understand it is not standard on any of these operating systems.
> Lets say if I install win xp on my pc I wont have kerberos on it? If I want
> kerberos I need to install it appart from windows? Is this correct?
>
> "Jonathan Wackley" <jwackley at legato.com> wrote in message
> news:3CC70369.B1E45088 at legato.com...
> > Klingon wrote:
> >
> > > Hi
> > >
> > > I am very new to the kerberos subject. I was wondering where it is used.
> Is
> > > it used in any of our standard windows operating systems like
> > > 95,98,nt,me,2000,mx,xp? Or is it maby standard in any linux platforms
> > > (which?)? If this isn't. Which people or organizations are glad to use
> it
> > > for all safety kinds (maybe nasa?,..... I really don't know actually)?
> > >
> > > This are a lot of questions at once, but can someone please explain me
> some.
> > >
> > > Thx
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > I started with kerberos in January. The system as I understand it works
> on
> > most flavours of Windows, unix (including Linux) and Macintosh. The intro
> page
> > for KfW (Kerberos for Windows) is located at;
> >
> > http://web.mit.edu/is/help/kfw/
> >
> > For an introduction into kerberos in general can be found at;
> >
> > http://web.mit.edu/kerberos/www/
> >
> > In a nutshell, Kerberos is used as a replacement for standard
> authentication.
> > The standard authentication mechanisms generally suffer from defects that
> can
> > be exploited (Read: Hacked) to gain unauthorized access to an otherwise
> secure
> > system. Simply, it is a mechanism to have stronger security on machines
> where
> > the old password related programs are not enough.
> >
> > jonw
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list