Uses of kerberos?

Jonathan Wackley jwackley at legato.com
Wed Apr 24 16:03:20 EDT 2002


Also, HP offers their own solution...

Thanks,
jonw

Jonathan Wackley wrote:

> I thought that Micro$oft Kerberos is included in Win2000 and above.  It may be
> a downloadable package, I'm not sure, I've not had to install it.  MIT Kerberos
> is an add on that does not ship as part of the stock OS.  I just saw a note
> that MIT Kerberos ships with NetBSD if I'm not mistaken.  Not sure about the
> interoperability first hand, but in theory they should be compatible (with a
> little work) as they should conform to standard RFC 1510.  In the UNIX world,
> there is SEAM (Solaris Enterprise authentication manager) on Solaris and DCE
> (Distributed Computing Environment) for IBM, linux installations use MIT.  I've
> tested these installations with gssapi and for the most part they are
> compatible.  It is interesting to note that IBM does not license their Kerberos
> solution directly, it is licensed as part of DCE.  Here is a discussion about
> Kerberos Components in Win2000;
>
> from
> http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dscd_aun_ctig.htm
>
> Kerberos Components in Windows 2000
>
> Windows 2000 implements the KDC as a domain service. It uses Active Directory
> as its account database and gets additional information about security
> principals from
> the Global Catalog.
>
> As in other implementations of the Kerberos protocol, the KDC is a single
> process that provides two services.
> Authentication Service   The authentication service issues TGTs that are good
> for admission to the ticket-granting service in its domain. Before network
> clients can get tickets for services, they must
> obtain a TGT from the authentication service in the user's account domain.
> Ticket-Granting Service   The ticket-granting service issues tickets that are
> good for admission to other services in its own domain or for admission to the
> ticket-granting service of a trusted
> domain. When clients want access to a service, they must contact the
> ticket-granting service in the service's account domain, present a TGT, and ask
> for a session ticket. If the client does not have a
> TGT for admission to the ticket-granting service in the other domain, it must
> obtain one through the referral process that begins at the ticket-granting
> service in the user's account domain and ends at
> the ticket-granting service in the service's account domain.
> The KDC is located on every domain controller, as is the Active Directory
> service. Both services are started automatically by the domain controller's
> Local Security Authority (LSA) and run in the
> process space of the LSA. Neither service can be stopped. Windows 2000 ensures
> availability of these services by allowing each domain to have several domain
> controllers, all peers. Any domain
> controller can accept authentication requests and ticket-granting requests
> addressed to the domain's KDC.
> The security principal name used by the KDC in all Windows 2000 domains is
> krbtgt, as specified by RFC 1510. An account for this security principal is
> created automatically when a new
> Windows 2000 domain is created. The account cannot be deleted, nor can the
> account name be changed. A password is assigned to the KDC's account
> automatically; this password, like the passwords
> assigned to domain trust accounts, is changed on a regular schedule. The
> password for the KDC's account is used to derive a secret key for encrypting
> and decrypting the TGTs that the KDC issues.
> The password for a domain trust account is used to derive a Kerberos
> inter-realm key for encrypting and decrypting referral tickets.
> All instances of the KDC in a domain use the domain account for the security
> principal krbtgt. Clients address messages to a domain's KDC by including both
> the service's principal name (krbtgt) and
> the name of the domain. Both items of information are also used in tickets to
> identify the issuing authority.
> © 1985-2001 Microsoft Corporation. All rights reserved.
>
> Thanks,
> jonw
>
> Klingon wrote:
>
> > But as I understand it is not standard on any of these operating systems.
> > Lets say if I install win xp on my pc I wont have kerberos on it? If I want
> > kerberos I need to install it appart from windows? Is this correct?
> >
> > "Jonathan Wackley" <jwackley at legato.com> wrote in message
> > news:3CC70369.B1E45088 at legato.com...
> > > Klingon wrote:
> > >
> > > > Hi
> > > >
> > > > I am very new to the kerberos subject. I was wondering where it is used.
> > Is
> > > > it used in any of our standard windows operating systems like
> > > > 95,98,nt,me,2000,mx,xp? Or is it maby standard in any linux platforms
> > > > (which?)? If this isn't. Which people or organizations are glad to use
> > it
> > > > for all safety kinds (maybe nasa?,..... I really don't know actually)?
> > > >
> > > > This are a lot of questions at once, but can someone please explain me
> > some.
> > > >
> > > > Thx
> > > >
> > > > ________________________________________________
> > > > Kerberos mailing list           Kerberos at mit.edu
> > > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> > > I started with kerberos in January.  The system as I understand it works
> > on
> > > most flavours of Windows, unix (including Linux) and Macintosh.  The intro
> > page
> > > for KfW (Kerberos for Windows) is located at;
> > >
> > > http://web.mit.edu/is/help/kfw/
> > >
> > > For an introduction into kerberos in general can be found at;
> > >
> > > http://web.mit.edu/kerberos/www/
> > >
> > > In a nutshell, Kerberos is used as a replacement for standard
> > authentication.
> > > The standard authentication mechanisms generally suffer from defects that
> > can
> > > be exploited (Read: Hacked) to gain unauthorized access to an otherwise
> > secure
> > > system.  Simply, it is a mechanism to have stronger security on machines
> > where
> > > the old password related programs are not enough.
> > >
> > > jonw
> > >
> > >
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list