News Analysis

Introducing Kerberos

Jan De Clercq

Windows Server 2003 security infrastructures The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book "Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book excerpt series or purchase the book.



Introducing Kerberos

In Greek mythology Kerberos is a three-headed dog guarding the entrance to the underworld. In the context of this book Kerberos refers to the authentication protocol developed as part of the MIT Athena project.

Microsoft introduced Kerberos as the new default authentication protocol for enterprise environments in Windows 2000. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Neither Windows 2000 nor Windows Server 2003 includes Kerberos support for other legacy Microsoft platforms. Your NT4, Windows 95 or 98 clients will not be able to authenticate using Kerberos -- you'll need to upgrade these workstations to either Windows 2000 Professional or Windows XP. In the early days of Windows 2000, Microsoft promised to include Kerberos support for Windows 95 and 98 in the "Directory Services Client" (dsclient.exe), an add-on for Windows 95 and 98 that can be found on the Windows 2000 Server CD.

A little more about the dog's three heads: They stand for authentication, authorization and auditing. The basic Kerberos protocol (Version 5, as defined in RFC 1510) only deals with authentication. Microsoft's implementation of the protocol also includes extensions for authorization. So far, no Kerberos implementation covers auditing. Kerberos can also offer more than the three A's: Later in this chapter we will explain how one of the secret keys exchanged during the Kerberos authentication sequence can be used for packet authentication, integrity and confidentiality services.

Another analogy to the dog's three heads is the number of basic entities the Kerberos protocol is dealing with. There are always three: two entities that want to authenticate to one another (e.g., a user and a resource server) and an entity that mediates between the two, a trusted third party, or, in Kerberos terminology, the key distribution center (KDC).

Click for the next excerpt in this series: Kerberos advantages.


Click for the book excerpt series or visit Elsevier to obtain the complete book.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy