Advanced Kerberos topics: Kerberized applications

This excerpt from "Windows Server 2003 security infrastructures" focuses on the details behind the smart card logon process, Kerberos transport protocol and port usage.

Windows Server 2003 security infrastructures The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book "Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book excerpt series or purchase the book.

Advanced Kerberos topics

To help you navigate this excerpt more quickly and easily, please use the following guide.

   Overview: List of Kerberized applications
   Smart card logon process
   Using Klist and Kerbtray

List of Kerberized applications
Return to Table of Contents

Kerberized applications are applications that use the Kerberos authentication protocol to provide authentication (and maybe in a later phase to provide encryption and signing for subsequent messages). Windows 2000 and Windows Server 2003 include the following Kerberized applications:

  • LDAP to AD
  • CIFS/SMB remote file access. Common Internet File System (CIFS) is the new name of Microsoft's SMB protocol that is mainly used for file and print sharing.
  • Secure dynamic DNS update
  • Distributed File System Management
  • Host to Host IPsec using ISAKMP
  • Secure intranet Web services using IIS
  • Authenticate certificate request to certification authority (CA)
  • DCOM RPC security provider

Smart card logon process
Return to Table of Contents

Windows 2000 and Windows Server 2003 include extensions to Kerberos Version 5 to support public-key–based authentication. These extensions are known as PKINIT—which stands for use of Public Key cryptography for INITial authentication—and are defined in an IETF Internet draft available from PKINIT enables the smart card logon process to a Windows 2000 or later domain. PKINIT allows a client's master key to be replaced with its public key credentials in the Kerberos Authentication Request (KRB_AS_REQ) and Reply (KRB_AS_REP) messages. This is illustrated in Table 5.9.

PKINIT introduces a new trust model (illustrated on the right side of Figure 5.32) in which the KDC is not the first entity to identify the users (as is the case for classical Kerberos). Before KDC authentication, users are identified by the certification authority in order to obtain a certificate. In this new model the users and the KDC obviously both need to trust the same CA.

Smart card logon trust model

Figure 5.33 shows the way the Kerberos smart card logon process works (notice that the cryptic names of the Kerberos messages have changed):

  • Alice starts the logon process by introducing her smart card and by authenticating to the card using her PIN code. The smart card contains Alice's public key credentials: her private key and certificate.
  • A TGT request is sent to the KDC (AS); this request contains the following (PA-PK-AS-REQ): Alice's principal name and a timestamp
  • The above signed with Alice's private key
  • A copy of Alice's certificate

Smart card logon process

  • To validate the request and the digital signature on it, the KDC will first validate Alice's certificate. The KDC will then query the Active Directory for a mapping between the certificate and a Windows account. If it finds a mapping, it will issue a TGT to the corresponding account.
  • The KDC sends back the TGT to Alice. Alice's copy of the session is encrypted with her public key (PA-PK-AS-REP).
  • To retrieve her copy of the session key, Alice uses her private key. We will come back to smart card support in Windows Server 2003 in Chapter 17.

Using Klist and Kerbtray
Return to Table of Contents

The Windows Server 2003 Resource Kit contains two utilities you can use to look at the content of the Kerberos ticket cache: kerbtray.exe (illustrated in Figure 5.30) and klist.exe (illustrated in Figure 5.31). Kerbtray.exe is a GUI tool, and klist.exe is a command-line tool. Both tools can be used to display and/or purge the content of the Kerberos ticket cache.

To bring up the kerbtray dialog box and look at your logon session's Kerberos ticket cache, double-click the kerbtray icon in the status area of your Windows desktop. The kerbtray icon is only displayed if you started the kerbtray program—it looks like a green ticket.

The upper pane of the kerbtray dialog box shows all Kerberos tickets (both service tickets and TGTs) that are cached in your logon session's Kerberos ticket cache. The lower part of the dialog box has four tabs: Names, Times, Flags and Encryption Types. The content of these tabs differs depending on the ticket that is selected in the upper pane.

  • The Names tab shows the name of the security principal the Kerberos ticket was issued to [this is the user's User Principal Name (UPN)], together with the name of the service for which the ticket was issued [this is the service's Service Principal Name (SPN)].
  • The Times tab shows the validity period of the ticket: its start and end time. For both TGTs and tickets, the default validity period is 10 hours.
  • The Flags tab shows the Kerberos ticket flags that have been set in the ticket. Examples of ticket flags are the forwarded and proxy flags used during the Kerberos delegation process. For a more detailed explanation of all the Kerberos ticket flags, I refer to the Kerberos Version 5 (V5) standard document [Request For Comments (RFC) 1510], which can be downloaded from the IETF Web site at
  • Finally, the Encryption Types tab shows the names of the symmetric encryption algorithms that were used by the Kerberos software to encrypt the tickets' content.

Looking at the Kerberos ticket cache using the Klist utility.

To purge the tickets in the Kerberos ticket cache, right-click the kerbtray icon in your desktop's status area and select Purge Tickets. This option deletes all tickets in your ticket cache. Use this option with extreme caution: Deleting tickets may stop you from authenticating to other Windows services during your logon session. If you have purged your tickets, you can only obtain new ones by logging off and then logging on again.

To display the content of the Kerberos ticket cache using the klist command-line utility, type the following at the command prompt:

    Klist tickets
    Klist tgt

The first command will bring up the service tickets in the cache, and the second command will bring up the TGTs in the cache. To purge the cache from the command line, type:

    Klist purge

Again, use the latter command with extreme caution.

The kerbtray utility displays more ticket information than the klist utility does -- it also displays the information in a much more readable format. For example, the klist utility displays the TGT tickets flags altogether in a single hexadecimal string: It is up to the user to decipher this string and retrieve the associated ticket flags.

Click for the next excerpt in this series: Kerberos configuration.

Click for the book excerpt series or visit Elsevier to obtain the complete book.

Read more on IT for small and medium-sized enterprises (SME)