# IT:AD:Infrastructure:Security:Kerberos #



<callout type="Navigation" class="small">

* [[../|(UP)]]
{{indexmenu>.#2|nsort tsort}}


</callout>


<panel title="Summary">



</panel>


## How it works ##

* [Brilliant Summary - a MUST read!!!](http://technet.microsoft.com/en-us/library/bb742516.aspx)
* [Again...brilliant](http://msdn.microsoft.com/en-us/library/ff647076.aspx)
* [Read First](http://www.quadibloc.com/crypto/mi060702.htm)

![](https://dl.dropbox.com/u/11851202/PUBLIC/SKYS/Posted/IT/About/Infrastructure/Security/Kerberos/Gen/authentication.png)

![](https://dl.dropbox.com/u/11851202/PUBLIC/SKYS/Posted/IT/About/Infrastructure/Security/Kerberos/Gen/IC40244.png)


0. To log on to the network, a user provides account `credentials` (name/password).
0. The Authentication Server (AS) part of the KDC accesses `Active Directory` (`AD`) user account information, in order to verify the given `credentials`.
0. The KDC grants a `Ticket Getting Ticket` (`TGT`).
    * The `TGT` allows user to obtain service session tickets to access servers in the domain, without having to enter the credentials again.
    * The `TGT` is good for 10 hours by default (it's configurable).
0. When the user attempts to access a domain servers resources, the client presents the `TGT` to the `KDC` to obtain a `Service (Sesion) Ticket` (`ST`).
0. The `KDC's` `Ticket Granting Service` (`TGS`) component authenticates the `TGT` and grants an `ST`. 
    * The `ST` consists of a `ticket` and a `session key`. 
    * An `ST` is created for both the client and the server being accessed.
0. The client presents the `ST` to create a session with the service on the server. 
0. The server uses its key to decrypt the information from the `TGS` within the `ST`, and the client is authenticated to the server.
0. If mutual authentication is enabled, the server also authenticates to the client


* The heart of the solution is that the `credentials` are only used during login.
* They are not passed from client to server ever again. 
* Neither name or pwd is sent over the wire.



## Questions ##
* Why use it.
* How's it compare to Impersonation?


## Resources ##

Wow..it's there on page 938 onwards. Actually...go back to Page 933 and read that...

* [Apress.Pro.ASP.NET.4.in.CSharp.2010.4th.Edition.Jun.2010.pdf](https://dl.dropbox.com/u/11851202/USERS/SKYS/Orgs/All.Common/eBooks/Dev/Technologies/ASP.NET/Apress.Pro.ASP.NET.4.in.CSharp.2010.4th.Edition.Jun.2010.pdf)
* [Online](http://books.google.co.nz/books?id=2wg5LCKuChcC&pg=PA940&lpg=PA940&dq=authentication+delegation+C%23&source=bl&ots=Hjv79GyfMK&sig=XvXhLYYuv1l7H1aKgiTNHBEOde0&hl=en&sa=X&ei=XEJXT86BOdGYiAf86Jm5DQ&ved=0CFAQ6AEwBg#v=onepage&q&f=false)

* [http://mccltd.net/blog/?p=1053](http://mccltd.net/blog/?p=1053)
* http://www.roguelynn.com/words/explain-like-im-5-kerberos/