IT:AD:Infrastructure:Security:Kerberos
Summary
How it works
- To log on to the network, a user provides account
credentials
(name/password). - The Authentication Server (AS) part of the KDC accesses
Active Directory
(AD
) user account information, in order to verify the givencredentials
. - The KDC grants a
Ticket Getting Ticket
(TGT
). * TheTGT
allows user to obtain service session tickets to access servers in the domain, without having to enter the credentials again. * TheTGT
is good for 10 hours by default (it's configurable). - When the user attempts to access a domain servers resources, the client presents the
TGT
to theKDC
to obtain aService (Sesion) Ticket
(ST
). - The
KDC's
Ticket Granting Service
(TGS
) component authenticates theTGT
and grants anST
. * TheST
consists of aticket
and asession key
. * AnST
is created for both the client and the server being accessed. - The client presents the
ST
to create a session with the service on the server. - The server uses its key to decrypt the information from the
TGS
within theST
, and the client is authenticated to the server. - If mutual authentication is enabled, the server also authenticates to the client
* The heart of the solution is that the credentials
are only used during login.
* They are not passed from client to server ever again.
* Neither name or pwd is sent over the wire.
Questions
* Why use it. * How's it compare to Impersonation?
Resources
Wow..it's there on page 938 onwards. Actually…go back to Page 933 and read that…