The information in this article applies to:
SUMMARY
The Microsoft Windows 2000 implementation of the Kerberos version 5 protocol is designed for interoperability with other security services based on MIT Kerberos version 5. Microsoft implements Kerberos based on RFC 1510 as an authentication package replacing NTLM. Kerberos version 5 is the default authentication package for Windows 2000. It is important to remember that Kerberos does not authorize access to resources, but rather authenticates a user's identity. Once the client identity is verified, the local Security Authority authorizes or denies access. Q217098 Basic Overview of Kerberos Authentication in Windows 2000 MORE INFORMATIONKerberos Ticket FlagsFlag Bit: 0 Flag Value: Reserved Flag Meaning: None Flag Bit: 1 Flag Value: Forwardable Flag Meaning: The ticket can be forwarded, it only applies to a TGT. Flag Bit: 2 Flag Value: Forwarded Flag Meaning: A TGT or ticket that has been forwarded. Flag Bit: 3 Flag Value: Proxiable Flag Meaning: This ticket can be proxied. Flag Bit: 4 Flag Value: Proxy Flag Meaning: A ticket that has been proxied. Flag Bit: 5 Flag Value: May Postdate Flag Meaning: In a TGT, this means that subsequent tickets can be postdated. Flag Bit: 6 Flag Value: Postdated Flag Meaning: A ticket with a START-TIME time stamp in the future. Flag Bit: 7 Flag Value: Invalid Flag Meaning: This flag is set for a postdated ticket and cleared by the TGS when presented for validation at the ticket's start time. Flag Bit: 8 Flag Value: Renewable Flag Meaning: Specifies whether or not the same ticket may be used beyond its original lifetime. The default Kerberos policy is 10 hours, but may be renewable for a longer period of time. Flag Bit: 9 Flag Value: Initial Flag Meaning: This ticket resulted from an AS_REQ message and was not based on a TGT. The TGT, tickets issued from remote untrusted domain services, and programs such as password-changing programs might require this flag. Flag Bit: 10 Flag Value: Pre-authent Flag Meaning: Specifies that some pre-authentication was required (and passed) before the ticket was issued. This would be the result of any pre-authentication data sent in the pre-authentication data field of the AS_REQ or TGS_REQ messages. Microsoft Kerberos requires this by default. Flag Bit: 11 Flag Value: HW-authent Flag Meaning: Indicates that some hardware device was used for pre-authentication. Microsoft Kerberos does not currently use this flag. Flag Bit: 12 Flag Value: Transited Policy Checked Flag Meaning: In the case of a cross-domain authentication, this flag indicates that the KDC has checked the transited field to make sure that any domains that the ticket has passed through were trusted. Flag Bit: 13 Flag Value: OK As Delegate Flag Meaning: If set, indicates that the server specified in the ticket has been approved by the domain policy to be used as a client delegate. That is, the specified server can make use of a proxy or forwarded ticket. Whether a computer can be trusted for delegation is set under the computer's properties. Flag Bit: 14 Flag Value: Anonymous Flag Meaning: Indicates that the principal is a generic domain account, such as anonymous, for the purpose of distributing a session key. Flag Bits: 15-31 Flag Value: Reserved Flag Meaning: None at this time. Description of the KDCThe Key Distribution Center (KDC) is a service that runs on every Windows 2000 domain controller and is responsible for maintaining master keys for all principles. The KDC service that gives the client a logon session key and a Ticket Granting Ticket (TGT) is known as the Authentication Service (AS). The KDC then distributes a service session key and a ticket for the service by using the Ticket-Granting Service (TGS). The final step in the authentication process is when the client pre-sends the ticket for admission to a service called the Client/Server (CS) Exchange.NOTE: This is a simplified overview and many more steps may be necessary for a complete picture of the process. KDC Options for KRB_AS_REQ and KRB_TGS_REQ MessagesThe following KDC options cab be set in an AS_REQ or TGS_REQ.Flag Bit: 0 Flag Value: Reserverd Flag Meaning: None Flag Bit: 1 Flag Value: Forwardable Flag Meaning: Ticket can be forwarded. A forwarded ticket is a type of proxy, allowing the ticket to be used from a specified address to obtain additional service tickets on behalf of the client. Allowed addresses are specified in the message's addresses field. Flag Bit: 2 Flag Value: Forwarded Flag Meaning: Ticket is a forwarded ticket. Flag Bit: 3 Flag Value: Proxiable Flag Meaning: Ticket can be proxied. A proxied ticket can be valid from specified addresses other than the original client's address. The difference between proxy and forwarded tickets is that a proxy ticket is used to authenticate a client to a specific target. A forwarded ticket is a TGT, allowing a service to act as if it were the client and to request new service tickets from the TGS, again as if it were the original client. Flag Bit: 4 Flag Value: Proxy Flag Meaning: Ticket is a proxy ticket. Flag Bit: 5 Flag Value: Allow Postdate Flag Meaning: A service (for example, a backup service) can start and request a ticket that can be postdated, meaning that it will be valid at some requested time in the future (hours or days away). This allows the service to start and run without the additional security risk of having a valid ticket stored in the LSA's credential cache. When the service wants the ticket to be activated, it sends a TGS request with the VALIDATE flag set (see below). Flag Bit: 6 Flag Value: Post-dated Flag Meaning: Ticket is post-dated. Flag Bit: 7 Flag Value: Reserved Flag Meaning: None Flag Bit: 8 Flag Value: Renewable Flag Meaning: Tickets are normally valid for 10 hours, depending on the domain's Kerberos policy. However, they may be renewable for a longer period of time. This is also set by the Kerberos policy. If a ticket is renewable, the renewal process will take place automatically at the ticket's expiration time. Flag Bits: 9-13 Flag Value: Reserved Flag Meaning: None at this time. Flag Bit: 14 Flag Value: Request Anonymous Flag Meaning: Even if a user is anonymous, a ticket authenticating that the user actually is anonymous needs to be created. Flag Bits: 15-25 Flag Value: Reserved Flag Meaning: None at this time. Flag Bit: 26 Flag Value: Disable Transited Check Flag Meaning: Tickets contain a field that tracks which domains that ticket has passed through to get to the target server. This is used if the target server is not in the client's domain. An MIT Kerberos policy may require that the list of transited domains be checked for valid domains. Microsoft Kerberos does not currently use this policy. However, a Kerberos-aware program may perform its own checking and may request that the normal transit checking be disabled. Flag Bit: 27 Flag Value: Renewable OK Flag Meaning: This flag means that it is acceptable to issue renewable tickets based on this ticket. It does not mean that the initial ticket, the TGT, should be renewable. This is set by flag bit 8. Flag Bit: 28 Flag Value: ENC-TKT-IN-SKEY Flag Meaning: Normally, tickets are encrypted with the target server's secret key. However, in user-to-user authentication, the ticket is encrypted with the session key taken from a provided TGT. This flag is used in that situation and means "Encrypt ticket in the session key." Flag Bit: 29 Flag Value: Reserved Flag Meaning: None. Flag Bit: 30 Flag Value: Renew Flag Meaning: This is not used for the AS_REQ. If a ticket is flagged as renewable and needs to be renewed, this flag would be set and the ticket needing the renewal would be included with the request (a TGS_REQ). Flag Bit: 31 Flag Value: Validate Flag Meaning: Validate a postdated ticket, based on the start time specified in the ticket. Kerberos TerminologyClientAn entity that can obtain a ticket. This entity is usually either a user or a host. Host A computer that can be contacted over a network. Kerberos The Kerberos service was originally intended to have three components: authentication, accounting, and auditing. Accounting and auditing were never implemented, and Kerberos is solely a network security package that was developed at MIT. KDC Key Distribution Center. A computer that issues Kerberos tickets. Keytab A key table file containing one or more keys. A host or service uses a keytab file in much the same way as a user uses his or her password. Principal A string that names a specific entity to which a set of credentials may be assigned. It generally has three parts:
primary/instance@DOMAIN. Service Any program or computer you use over a network. Examples of services include "host," "ftp," "krbtgt," and "pop." Ticket A temporary set of electronic credentials that verify the identity of a client for a particular service. TGT Ticket-Granting Ticket A special Kerberos ticket that permits the client to obtain additional Kerberos tickets within the same Kerberos domain/realm. Additional query words:
Keywords : kbenv |
|
Last Reviewed: December 29, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |