- Microsoft Implementation of Kerberos Starts in Windows 2000
- Version 5 Kerberos Protocol Interoperability
- Key Distribution Center (KDC)
Key Distribution Center (KDC)
Microsoft continues to migrate the technologies originally developed in Windows 2000 related to Kerberos to Windows XP. A significant common component that each share is the Key Distribution Center.
Both Windows 2000 and Windows XP implement the Key Distribution Center (KDC) as a domain service. It uses the domain's Active Directory as its account database, and gets some information about users from the Global Catalog.
As in other implementations of the Kerberos protocol, the KDC is a single process that provides two services:
Authentication Service (AS). This service issues Ticket Granting Tickets (TGTs) that are good for admission to the ticket-granting service in its domain. Before network clients can get tickets for services, they must get an initial TGT from the authentication service in the user's account domain.
Ticket-Granting Service (TGS). This service issues tickets that are good for admission to other services in its domain or to the ticket-granting service of a trusted domain. When clients want access to a service, they must contact the ticket-granting service in the service's account domain, present a TGT, and ask for a ticket. If the client does not have a TGT that is good for admission to that ticket-granting service, it must get one through a referral process that begins at the ticket-granting service in the user's account domain and ends at the ticket-granting service in the service's account domain.
The KDC is located on every domain controller, as is the Active Directory service. Both services are started automatically by the domain controller's Local Security Authority (LSA), and run in the process space of the LSA. Neither service can be stopped. Windows 2000 and XP ensures the availability of these services by allowing each domain to have several domain controllersall peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain's KDC.
The security principal name used by the KDC for a Windows 2000 domain is krbtgt, as specified by RFC 1510. An account for this security principal is created automatically when a new domain is created. The account cannot be deleted, nor can the name be changed. A password is assigned to the account automatically, and is changed on a regular schedule, as are the passwords assigned to domain trust accounts. The password for the KDC's account is used to derive a secret key for encrypting and decrypting the TGTs that it issues. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
All instances of the KDC within a domain use the domain account for the security principal krbtgt. Clients address messages to a domain's KDC by including both the service principal name (krbtgt) and the name of the domain. Both items of information are also used in tickets to identify the issuing authority. For information on name forms and addressing conventions, see RFC 1510.