Active Directory and NT Kerberos - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Active Directory and NT Kerberos

Description:

What does NT Kerberos look like on the wire? KTNet - A native NT ... MIT Kerberos v5 - an Open Standard. Kerberos is the default authenticator in W2K domains ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 23
Provided by: jdgl
Category:

less

Transcript and Presenter's Notes

Title: Active Directory and NT Kerberos


1
Active Directory and NT Kerberos
  • Rooster
  • JD Glaser

2
Introduction to NT Kerberos v5
  • What is NT Kerberos?
  • How is it different from NTLM
  • NT Kerberos vs MIT Kerberos
  • Delegation and Client Authentication
  • What does NT Kerberos look like on the wire?
  • KTNet - A native NT Kerberos telnet server

3
What is NT Kerberos
  • NTs new authentication system
  • MIT Kerberos v5 - an Open Standard
  • Kerberos is the default authenticator in W2K
    domains
  • NTLM still used for compatibility
  • usually the weakest version

4
How is it different from NTLM
  • Doesnt use a password hash system
  • Requires fewer authentication calls
  • More sophisticated - Yes
  • More secure? - Possibly in pure mode
  • Backwards compatibility hinders it
  • NTLM v2 is strong in pure mode as well

5
NT Kerberos
  • Integrated with platform
  • Locates KDC via DNS - DNS server required for
    install
  • No support for DCE style cross-realm trust
  • No raw krb5 API
  • Postdated tickets (not implemented)
  • Uses authdata field in ticket

6
Windows 2000 Kerberos standards
  • RFC-1510
  • Kerberos change password protocol Kerberos set
    password protocolRC4-HMAC Kerberos Encryption
    type
  • PKINIT

7
Kerberos Interoperability Scenarios
  • Kerberos clients in a Win2000 domain
  • Kerberos servers in a Win2000 domain
  • Standalone Win2000 systems in a Kerberos realm
  • Using a Kerberos realm as a resource domain
  • Using a Kerberos realm as an account domain

8
MIT Kerberos Differences
  • Win2000
  • Clients
  • Just logon
  • Just logoff
  • Domain membership
  • Example app everything
  • Servers
  • Use computer account via SCM
  • MIT
  • Clients
  • User logon with kinit
  • User logoff with kdestroy
  • Configured with /etc/krb5.conf
  • Example app telnet
  • Servers
  • Do not logon use saved keys from keytab

9
Using Kerberos clients
  • Customer wants to have its non-windows Kerberos
    users use their Win2000 accounts

nt.company.com
  • Setup the /etc/krb5.conf
  • Users kinit with their Win2000 account

Unix workstation
Windows 2000 Server
10
Using Kerberos servers
  • Customer wants to user their Kerberos enabled
    database server in an n-tier application
    front-ended by IIS

nt.company.com
  • /etc/krb5.conf on database server
  • Create service account in domain
  • Use ktpass to export a keytab
  • Copy keytab to database server
  • IIS server is trusted for delegation

Windows 2000 Wks
Windows 2000 IIS Server
Unix Database Server
11
Kerberos realm as an account domain
  • User logon with Kerberos principal
  • User has shadow account in an account domain (for
    applying authz)
  • Mapping is used at logon for domain identity

Domain trusts realm users
user_at_win2k.domain.com (user_at_MIT.REALM.COM)
comp_at_win2k.domain.com
User_at_MIT.REALM.COM
win2k.domain.com
MIT.REALM.COM
12
Standalone Win2000 computers
  • An employee has a Win2000 computer that they want
    to use in a Kerberos realm

MIT.REALM.COM
  • Configure system as standalone (no domain)
  • Use Ksetup to configure the realm
  • Use Ksetup to establish the local account mapping
  • Logon to Kerberos realm

Linux/Unix
Win2000
13
Trusting a Kerberos realm
  • Win2000 users accessing services in Kerberos
    realms
  • Kerberos users accessing services in domains

14
Windows 2000 Domain Trusts
Explicit Kerberos trust
microsoft.com
Kerberos realm
Domain
fareast. microsoft. com
europe. microsoft. com
Explicit Windows NT 4.0-style trust
Domain
Domain
Domain
Domain
15
Cross-domain Authentication
company.com
west.company.com
east.company.com
KDC
KDC
srv1.east.company.com
Windows 2000 Professional
Windows 2000 Server
16
Using Unix KDCs withWindows 2000 Authorization
COMPANY.REALM
nt.company.com
MITKDC
Windows 2000KDC
Name Mapping to NT account
Windows 2000 Server
Win2000 Professional
17
NT Kerberos vs MIT Kerberos
  • NT caches the password for ticket renewal
  • Its not certain whether NT uses ticket caching
    tracking stolen replay tickets

18
Kerberos v5 Ticket Details
19
Delegation and Client Authentication
20
NT Kerberos On The Wire
21
Thank you
  • Rooster, rooster_at_attrition.org
  • JD Glaser, jd.glaser_at_foundstone.com

22
Appendix
  • John Brezak, PM - Microsoft
  • Kerberos Talk - MTB 99
Write a Comment
User Comments (0)
About PowerShow.com