Kerberos and Microsoft products ?

ronnie sahlberg ronniesahlberg at gmail.com
Fri Oct 21 18:31:45 EDT 2005


I do not think that is correct.

I am certain that they will use kerberos    however it is in my
opinion very likely that they will change their kerberos
infrastructure to rely significantly on
digital certificates and the new pkinit draft/standard instead of user
passwords and preauthentication.

I.e.   they will probably make changes to kerberos  but not get rid of
kerberos  instead they will use pkinit+kerberos.

Speculation:
I would not be surprised if they also do things like stuff the PAC
inside the pkinit fields/certificate instead of inside the
authorization data fields and if they also modify the kdc to take the
PAC and other autorization data from within the AS-REQ and put it
inside the krbtgt ticket it sends back   and that the client in
further tgs-req and also ap-req also contains a copy of that data.

It would provide an interesting side channel where they could provide
authorization data from the certificate all the way to the AP-REQ sent
to a service.

I bet there are very interesting features that such a mechanism would provide.

(at elast that is what i would do instead of only using pkinit as a
vehicle for pre authentication)



On 10/21/05, Tim Alsop <Tim.Alsop at cybersafe.ltd.uk> wrote:
> Hi,
>
> I have just been told by a company (name of company is anonymous) that
> they were recently told by Microsoft, that in the next version of
> Windows, Kerberos will be removed and replaced by something else
> instead. This suggests that Active Directory will no longer be a
> Kerberos server, and Windows will not use Kerberos to authenticate users
> to domain controllers ?
>
> My question is, has anybody else been told the same ? Is this a
> missunderstanding, or based on fact ?
>
> Thanks, Tim
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list