- Microsoft Implementation of Kerberos Starts in Windows 2000
- Version 5 Kerberos Protocol Interoperability
- Key Distribution Center (KDC)
- Summary
Version 5 Kerberos Protocol Interoperability
The Kerberos version 5 protocol is implemented in both Windows 2000 and Windows XP, and is used to provide a single authentication service in a distributed network. Kerberos interoperability provides a common protocol that allows a single account database for authenticating users on all enterprise computing platforms to access all services in a heterogeneous environment. Kerberos interoperability is based on the following characteristics:
A common authentication protocol used to identify the end user or service by principal name in a network connection.
The capability to define trust relationships between Kerberos realms and to generate ticket referral requests between realms.
Implementations that support the Interoperability Requirements defined in RFC 1510 regarding encryption, checksum algorithms, mutual authentication, and other ticket options.
Support for Kerberos version 5 security token formats for context establishment and per-message exchange, as defined by the IETF Common Authentication Technology working group.
The principal name in a Kerberos ticket is used to authenticate the user's identity, but additional authorization information might be managed on the local system for access control. Identity-based authentication provides a high degree of interoperability for systems that support the Kerberos version 5 protocol; it does not, however, support user authorization. The Kerberos protocol provides for transport of authorization data, but the contents of this field are considered specific to the application service.
The Microsoft implementation of the Kerberos protocol supports the interoperability characteristics sufficient for identity-based authentication. In addition, Microsoft integrates authorization data in the form of Windows 2000 and Windows XP group memberships in Kerberos tickets to convey access control information to Windows XP services. The native representation of the authorization data is in Windows Security IDs.
Windows XP services have service accounts defined in the Active Directory, which defines the shared secret used by the KDC to encrypt session tickets. Clients attempting to connect to Windows 2000 and XP services obtain session tickets to the target server from the KDC in the domain in which the service account is defined. The Kerberos security provider supporting a Windows 2000 service expects to find Authorization Data in the session tickets that are used to build a security access token. The Windows 2000 service impersonates the security context of the client, based on the Authorization Data provided in the session ticket.
Clients that obtain initial Kerberos TGT tickets from KDCs on non-Windows 2000 and XP systems use the Kerberos referral mechanism to request a session ticket from the KDC in the Windows 2000 Service domain. The referral ticket is created by inter-realm trust relationships between the KDCs. The ticket requests originating from an MIT Kerberos authentication service are not likely to contain authorization data. When session tickets do not contain authorization data, the Kerberos security provider on Windows 2000 and XP tries to use the principal name in the ticket, and create a security access token for a designated user account or use a default account defined for this purpose. Microsoft is still investigating some of the interoperability issues with different Kerberos configurations, and will continue to work toward full Kerberos interoperability.
The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos tickets to convey Extended Privilege Attribute Certificates (EPACs) that define user identity and group membership. The DCE EPAC is used like Windows Security IDs for user authorization and access control. Windows 2000 services cannot translate DCE EPACs into Windows 2000 user and group identifiers. This is not a question of Kerberos interoperability, but of interoperability between DCE and Windows 2000 and XP access control information. Microsoft will investigate ways to map DCE authorization to the Windows 2000 security model.