Kerberos Introduction Kerberos in Greek mythology was the three-headed dog guarding the gates to the underworld Kerberos was developed as part of MITs Athena project and taken on board as the default authentication protocol by MS in Windows 2000. All flavours of Kerberos provide authentication however the MS implementation does provide extensions for authorization.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Kerberos Introduction
Kerberos in Greek mythology was the three-headed dog guarding the gates to the underworld
Kerberos was developed as part of MITs Athena project and taken on board as the default authentication protocol by MS in Windows 2000.
All flavours of Kerberos provide authentication however the MS implementation does provide extensions for authorization.
So what does that mean?
THE default authentication protocol
for AD.
Based on a trusted third party model
Provides a mechanism for authentication
and
mutual authentication between a client and a
server
Based on Tickets containing client
credentials encrypted with Shared keys.
Authentication Interoperability
Impersonation
Increased authentication efficiencies
(Its just faster)
Mutual authentication
(It can verify you and you can verify it)
Protocol Transition
(first NTLM then Kerberos)
Constrained Delegation
(Impersonation with Rules)
Smartcards
The KDC
• KDC trusted 3rd party, provides scalability • KDC made up of 2 sub services
•(AS) Authentication Service,
•(TGS) Ticket Granting Service
•The KDC holds a copy of each entities Master Key (Symmetric Crypto) •The KDC issues the Keys, encrypted with the Master Key to each entity
-DWORD value c0000043 (this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff).
Some common Kerberos failure codes
•KDC_ERR_C_PRINCIPAL_UNKNOWN
•STATUS_NO_SUCH_USER 0x6
•KDC_ERR_S_PRINCIPAL_UNKNOWN
•Server not found in Kerberos database 0x7
•- KDC_ERR_PRINCIPAL_NOT_UNIQUE
•Multiple principal entries in database 0x8
•KDC_ERR_KEY_EXPIRED
•Password has expired – change password to reset 0x17
•KRB_AP_ERR_SKEW
•Clock skew too great 0x25
•KRB_ERR_RESPONSE _TOO_BIG
•Response too big for UDP, retry with TCP 0x34
Troubleshooting
-Use the Windows security log, look for 540 events showing you the protocol used and any transited services -Check for duplicate SPNs -Check SPN Syntax -Check Delegation Settings -ADSI is your friend
Multiforest
-Kerberos since 2003 is supported across forests via the use of forest level trust introduced in Windows 2003 -Delegation across forests is not supported -FQDNs required to resolve across forests -Root hints used to find target KDC