Subscribe to Windows IT Pro
August 01, 1997 12:00 AM

Kerberos and NT 5.0

Mark Minasi
Windows IT Pro
InstantDoc ID #114
Rating: (0)

NT's Security Future
In the past couple of months, I've explained what happens under the hood when Windows NT 3.x and 4.0 authenticate a user ID. But, NT 5.0 will arrive soon, and then everything you know will be wrong. Lots of things will change in NT 5.0. It will use Kerberos authentication, which has been in the UNIX and Internet world for a while. This month, let's see how Kerberos works and how it applies to NT 5.0 user authentication.

Suppose a user whose account name is Dawn has a PC with IP address 2.2.2.2, and she wants to access data on a server \\DATAPLACE on the network. She and \\DATAPLACE are on the same domain, which has a domain controller named \\BIGDOG. How do Dawn, \\DATAPLACE, and \\BIGDOG interact to get Dawn to her data?

Kerberos seeks to solve the authentication problem: User Dawn wants server \\DATAPLACE to recognize her over the network, so she has to prove that she is the person who owns domain user account Dawn. Of course, Dawn has a password to her domain account, so \\DATAPLACE can authenticate Dawn by asking her, "What's your domain password?" Once Dawn gives her password, \\DATAPLACE can ask \\BIGDOG, "Is that really Dawn's password?" This method is not a good idea because Dawn's password gets transmitted over the wire from Dawn's PC to \\DATAPLACE, and then from \\DATAPLACE to \\BIGDOG. Anyone with a network sniffer can capture Dawn's password. Kerberos improves on this method, however, and handles user authentication without transmitting any clear-text passwords across the network.

Kerberos Simplified
With Kerberos, both users and services have passwords. So, Dawn has a password, and the file server service on \\DATAPLACE has a password, which is for the file server service only. If, for example, Internet Information Server (IIS) is running on \\DATAPLACE, the copy of IIS on \\DATAPLACE will have a different password from the copy on the file server service. (I've simplified this example to expose the big idea; I'll fill in the gaps later.)

When Dawn tries to access data on \\DATAPLACE, her file-sharing client software goes first not to \\DATAPLACE, but to \\BIGDOG, where Dawn's software requests a ticket to the file server module on \\BIGDOG. \\BIGDOG looks up Dawn's password and \\BIGDOG's password and creates a Kerberos ticket. \\DATAPLACE will use that ticket to authenticate Dawn.

First, \\BIGDOG creates a message ultimately for \\DATAPLACE, saying something like, "If you got this message from a machine with IP address 2.2.2.2, you got this message from user Dawn." Second, \\BIGDOG takes that message and encrypts it using \\DATAPLACE's password. Kerberos' encryption method uses one string of characters to encrypt another string of characters. Encrypting the message, "Meet me at 8 pm," using the password "sentinel," might yield an encrypted message like "sk3knalef9m3poh." The encryption method is symmetrical: The receiver can decrypt the message using the same password as the sender; knowing that the password is sentinel and the message is sk3knalef9m3poh is sufficient information to decrypt the message. Third, \\BIGDOG takes that encrypted message and adds a plain-text message to Dawn saying, "Give this to \\DATAPLACE." Fourth, \\BIGDOG takes the whole message--the part encrypted in \\DATAPLACE's password and the plain-text part--and encrypts it using Dawn's password. Then \\BIGDOG sends the ticket to Dawn.

Dawn's PC receives the entire encrypted ticket. The PC knows Dawn's password, so it decrypts the message, yielding a plain-text message saying, "Send this to \\DATAPLACE," and a message encrypted with \\DATAPLACE's password. Dawn can't tamper with the message for \\DATAPLACE because she doesn't have \\DATAPLACE's password. Her machine then sends that message to \\DATAPLACE.

The security software in \\DATAPLACE sees that it's received a message from a machine with IP address 2.2.2.2. It decrypts the message, which says, "If you got this message from a machine with IP address 2.2.2.2, you got this message from user Dawn." The message came from 2.2.2.2, so \\DATAPLACE is now pretty sure that Dawn is on the other end of the line. It can look up the access control list (ACL)/Security Descriptor on the share to see whether Dawn is authorized to access the share.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Peter Vernam
    13 years ago
    Aug 10, 1999

    Thanks go to Mark Minasi for his August 1997 column, “Kerberos and NT 5.0.” It is the best description of Kerberos I have read. However, I think he made an error in the paragraph where Dawn tries to access data on \\\\DATAPLACE. He says that her file-sharing client software goes first not to \\\\DATAPLACE, but to \\\\BIGDOG, where Dawn’s software requests a ticket to the file server module on \\\\BIGDOG. Shouldn’t this location be \\\\DATAPLACE?

    --Peter Vernam



    Thank you for the kind thoughts. The idea with Kerberos is that a client goes to a domain controller (\\\\BIGDOG) for a ticket.

    --Mark Minasi

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.