Enquiry - Kerberos

Michael B Allen ioplex at gmail.com
Sun Jan 31 23:05:09 EST 2010


On Sun, Jan 31, 2010 at 7:54 PM, Charles <charles_86 at rediffmail.com> wrote:
> Dear Sir/Madam,
>
> Can you please provide me details documentation as of how kerberos works in Microsoft Windows.

Hi Charles,

Kerberos in Windows is pretty much what RFC 1510 defines:

  http://www.ietf.org/rfc/rfc1510.txt

Note that this RFC is unusually well written and understandable for an RFC.

For a more glazed over description of Kerberos in Windows, just go to
msdn.microsoft.com and search on "Kerberos". Here's a link:

  http://msdn.microsoft.com/en-us/library/aa378747(VS.85).aspx

Of course MS has a few extensions. They added a feature called
constrained delegation. They come up with their own password changing
/ setting protocol. When acquiring a TGT MS clients use a special
KRB5_NT_ENTERPRISE_PRINCIPAL (10) name type. They added a "PAC" to
tickets which goes in what the RFC calls the authorization-data field
which contains ... well, authorization data.

So there are some MS specific things that cannot be ignored but
otherwise, the core Kerberos 5 protocol implementation in Windows is
the same as that of MIT or Heimdal. In fact many of these "extensions"
are making their way into the other implementations either because
they good (password protocol) or because Active Directory is
ubiquitous.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the Kerberos mailing list