Kerberos

The Kerberos security package uses the Kerberos authentication protocol (RPC_C_AUTHN_GSS_KERBEROS), which defines how clients interact with a network authentication service. Clients obtain tickets from the authentication service, which is called a Key Distribution Center (KDC), and present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

Like NTLM, Kerberos uses the domain name/user name/password to represent the client's identity. The initial Kerberos ticket obtained from the KDC when the user logs on is based on an encrypted hash of the user's password. This initial ticket is cached. When the user tries to connect to a server, Kerberos checks the ticket cache for a valid ticket for that server. If one is not available, the initial ticket for the user is sent to the KDC along with a request for a ticket for the specified server. That session ticket is added to the cache, and it can be used to connect to the same server until the ticket expires.

When a server calls CoQueryClientBlanket using Kerberos, the client's domain name and user name are returned. When a server calls CoImpersonateClient, the client's token is returned. These behaviors are the same as when using NTLM.

Kerberos works across machine boundaries, allowing the local system account to make secure calls. For Kerberos to work, the client and server machines must both be running Windows NT 5.0. The client and server machine domains must both be Windows NT 5.0, have a trust relationship, and both of their domains must support Kerberos. The client and server identities must be in Windows NT 5.0 domains that have Kerberos enabled and have a trust relationship.

Kerberos requires mutual authentication and supports it remotely. The client must specify the principal name of the server, and the server's identity must match that principal name exactly. If the client specifies NULL for the server's principal name or if the principal name doesn't match the server, the call will fail.

With Kerberos, the impersonation levels identify, impersonate, and delegate can be used. When a server calls CoImpersonateClient, the token returned is valid off the machine for some time period between 5 minutes and 8 hours. After this time, it can be used on the server machine only. If a server is "run as activator" and the activation is done with Kerberos, the server's token will expire between 5 minutes and 8 hours after activation.

Kerberos supports cloaking in Windows NT 5.0.