Active Directory and NT Kerberos - PowerPoint PPT Presentation

1 / 22

About This Presentation

Title:

Active Directory and NT Kerberos

Description:

What does NT Kerberos look like on the wire? KTNet - A native NT ... MIT Kerberos v5 - an Open Standard. Kerberos is the default authenticator in W2K domains ... – PowerPoint PPT presentation

Number of Views:36

Avg rating:3.0/5.0

Slides: 23

Provided by: jdgl

Category:

more less

Transcript and Presenter's Notes

Title: Active Directory and NT Kerberos

1
Active Directory and NT Kerberos

Rooster
JD Glaser

2
Introduction to NT Kerberos v5

What is NT Kerberos?
How is it different from NTLM
NT Kerberos vs MIT Kerberos
Delegation and Client Authentication
What does NT Kerberos look like on the wire?
KTNet - A native NT Kerberos telnet server

3
What is NT Kerberos

NTs new authentication system
MIT Kerberos v5 - an Open Standard
Kerberos is the default authenticator in W2K
domains
NTLM still used for compatibility
usually the weakest version

4
How is it different from NTLM

Doesnt use a password hash system
Requires fewer authentication calls
More sophisticated - Yes
More secure? - Possibly in pure mode
Backwards compatibility hinders it
NTLM v2 is strong in pure mode as well

5
NT Kerberos

Integrated with platform
Locates KDC via DNS - DNS server required for
install
No support for DCE style cross-realm trust
No raw krb5 API
Postdated tickets (not implemented)
Uses authdata field in ticket

6
Windows 2000 Kerberos standards

RFC-1510
Kerberos change password protocol Kerberos set
password protocolRC4-HMAC Kerberos Encryption
type
PKINIT

7
Kerberos Interoperability Scenarios

Kerberos clients in a Win2000 domain
Kerberos servers in a Win2000 domain
Standalone Win2000 systems in a Kerberos realm
Using a Kerberos realm as a resource domain
Using a Kerberos realm as an account domain

8
MIT Kerberos Differences

Win2000
Clients
Just logon
Just logoff
Domain membership
Example app everything
Servers
Use computer account via SCM

MIT
Clients
User logon with kinit
User logoff with kdestroy
Configured with /etc/krb5.conf
Example app telnet
Servers
Do not logon use saved keys from keytab

9
Using Kerberos clients

Customer wants to have its non-windows Kerberos
users use their Win2000 accounts

nt.company.com

Setup the /etc/krb5.conf
Users kinit with their Win2000 account

Unix workstation
Windows 2000 Server
10
Using Kerberos servers

Customer wants to user their Kerberos enabled
database server in an n-tier application
front-ended by IIS

nt.company.com

/etc/krb5.conf on database server
Create service account in domain
Use ktpass to export a keytab
Copy keytab to database server
IIS server is trusted for delegation

Windows 2000 Wks
Windows 2000 IIS Server
Unix Database Server
11
Kerberos realm as an account domain

User logon with Kerberos principal
User has shadow account in an account domain (for
applying authz)
Mapping is used at logon for domain identity

Domain trusts realm users
user_at_win2k.domain.com (user_at_MIT.REALM.COM)
comp_at_win2k.domain.com
User_at_MIT.REALM.COM
win2k.domain.com
MIT.REALM.COM
12
Standalone Win2000 computers

An employee has a Win2000 computer that they want
to use in a Kerberos realm

MIT.REALM.COM

Configure system as standalone (no domain)
Use Ksetup to configure the realm
Use Ksetup to establish the local account mapping
Logon to Kerberos realm

Linux/Unix
Win2000
13
Trusting a Kerberos realm

Win2000 users accessing services in Kerberos
realms
Kerberos users accessing services in domains

14
Windows 2000 Domain Trusts
Explicit Kerberos trust
microsoft.com
Kerberos realm
Domain
fareast. microsoft. com
europe. microsoft. com
Explicit Windows NT 4.0-style trust
Domain
Domain
Domain
Domain
15
Cross-domain Authentication
company.com
west.company.com
east.company.com
KDC
KDC
srv1.east.company.com
Windows 2000 Professional
Windows 2000 Server
16
Using Unix KDCs withWindows 2000 Authorization
COMPANY.REALM
nt.company.com
MITKDC
Windows 2000KDC
Name Mapping to NT account
Windows 2000 Server
Win2000 Professional
17
NT Kerberos vs MIT Kerberos