1 / 22

Active Directory and NT Kerberos

Active Directory and NT Kerberos. Rooster JD Glaser. Introduction to NT Kerberos v5. What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation and Client Authentication What does NT Kerberos look like on the wire?

hugov
Download Presentation

Active Directory and NT Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory and NT Kerberos Rooster JD Glaser

  2. Introduction to NT Kerberos v5 • What is NT Kerberos? • How is it different from NTLM • NT Kerberos vs MIT Kerberos • Delegation and Client Authentication • What does NT Kerberos look like on the wire? • KTNet - A native NT Kerberos telnet server

  3. What is NT Kerberos • NT’s new authentication system • MIT Kerberos v5 - an Open Standard • Kerberos is the default authenticator in W2K domains • NTLM still used for compatibility • usually the weakest version

  4. How is it different from NTLM • Doesn’t use a password hash system • Requires fewer authentication calls • More sophisticated - Yes • More secure? - Possibly in pure mode • Backwards compatibility hinders it • NTLM v2 is strong in pure mode as well

  5. NT Kerberos • Integrated with platform • Locates KDC via DNS - DNS server required for install • No support for DCE style cross-realm trust • No “raw” krb5 API • Postdated tickets (not implemented) • Uses authdata field in ticket

  6. Windows 2000 Kerberos standards • RFC-1510 • Kerberos change password protocol Kerberos set password protocolRC4-HMAC Kerberos Encryption type • PKINIT

  7. Kerberos Interoperability Scenarios • Kerberos clients in a Win2000 domain • Kerberos servers in a Win2000 domain • Standalone Win2000 systems in a Kerberos realm • Using a Kerberos realm as a resource domain • Using a Kerberos realm as an account domain

  8. MIT Kerberos Differences MIT • Clients • User logon with ‘kinit’ • User logoff with ‘kdestroy’ • Configured with /etc/krb5.conf • Example app: telnet • Servers • Do not logon – use saved keys from keytab Win2000 • Clients • Just logon • Just logoff • Domain membership • Example app: everything • Servers • Use computer account via SCM

  9. Using Kerberos clients Customer wants to have its non-windows Kerberos users use their Win2000 accounts nt.company.com • Setup the /etc/krb5.conf • Users kinit with their Win2000 account Unix workstation Windows 2000 Server

  10. Using Kerberos servers Customer wants to user their Kerberos enabled database server in an n-tier application front-ended by IIS nt.company.com • /etc/krb5.conf on database server • Create service account in domain • Use ktpass to export a keytab • Copy keytab to database server • IIS server is trusted for delegation Windows 2000 Wks Windows 2000 IIS Server Unix Database Server

  11. Kerberos realm as an account domain • User logon with Kerberos principal • User has shadow account in an account domain (for applying authz) • Mapping is used at logon for domain identity Domain trusts realm users user@win2k.domain.com (user@MIT.REALM.COM) comp$@win2k.domain.com User@MIT.REALM.COM win2k.domain.com MIT.REALM.COM

  12. Standalone Win2000 computers An employee has a Win2000 computer that they want to use in a Kerberos realm MIT.REALM.COM • Configure system as standalone (no domain) • Use Ksetup to configure the realm • Use Ksetup to establish the local account mapping • Logon to Kerberos realm Linux/Unix Win2000

  13. Trusting a Kerberos realm • Win2000 users accessing services in Kerberos realms • Kerberos users accessing services in domains

  14. Explicit Kerberos trust Kerberos realm Explicit Windows NT 4.0-style trust Shortcut trust Kerberos trust Domain Windows 2000 Domain Trusts microsoft.com Domain fareast. microsoft. com europe. microsoft. com Domain Domain Domain

  15. 2 TGT 3 TGT 1 TGT 4 TICKET Cross-domain Authentication company.com west.company.com east.company.com KDC KDC srv1.east.company.com Windows 2000 Professional Windows 2000 Server

  16. 2 TGT 1 3 TICKET TGT 4 TICKET With NT Auth Data Using Unix KDCs withWindows 2000 Authorization COMPANY.REALM nt.company.com MITKDC Windows 2000KDC Name Mapping to NT account Windows 2000 Server Win2000 Professional

  17. NT Kerberos vs MIT Kerberos • NT caches the password for ticket renewal • It’s not certain whether NT uses ticket caching tracking stolen ‘replay’ tickets

  18. Kerberos v5 Ticket Details

  19. Delegation and Client Authentication

  20. NT Kerberos On The Wire

  21. Thank you Rooster, rooster@attrition.org JD Glaser, jd.glaser@foundstone.com

  22. Appendix • John Brezak, PM - Microsoft • Kerberos Talk - MTB ‘99

More Related