Windows NT will also implement extensions to the Kerberos protocol to support authentication based on private/public-key pairs in addition to shared secret keys. The public-key authentication extensions allow clients to request an initial TGT using a private key, while the KDC verifies the request using the public key obtained from an X.509 certificate stored in the user object in the Windows NT Directory Service. The user's certificate could be issued by a third-party Certificate Authority, such as VeriSign's Digital IDs, or from the Windows NT Certificate Services. After the initial private-key authentication, standard Kerberos protocols for obtaining session tickets are used to connect to network services.
A proposal to extend the Kerberos protocol specification to provide a method for using public-key cryptography for initial authentication is submitted to the IETF working group for review. Microsoft is participating in the IETF standards process and intends to support the standard protocol extensions for public key.
Public-key authentication extensions to the Kerberos protocol provides a foundation for network authentication using smart card technology. In the future, there will be many options for obtaining certificates for end users depending on their organization affiliation or job requirements. Windows NT will provide a Certificate Server for organizations that want to issue public-key certificates to their users without depending on commercial CA services. The certificate policy is straightforward—certificates are issued to users authenticated using valid Domain account credentials. The next section describes how those certificates can be used for intranet and Internet access to resources on Windows NT.