Kerberos Question

Discussion in 'Network Infrastructure' started by surfthegecko, Jan 24, 2010.

  1. surfthegecko

    surfthegecko Bit Poster

    21
    0
    2
    Hi,

    Quick question for all your 70-291 fans out there. I am currently trying to get my head round Kerberos and wanted to check that I have the following points correct:


    Issuing A TGT (Ticket Granting Ticket)
    This acts as the Master Ticket, and is created so domain passwords do not need to be sent back and forth.

    -Computer and users logon
    -Client computer sends a hashed version of the password (sometimes including the local time) to the DC/KDC

    -DC decrypts with a local copy of the hash
    -DC then checks that the local time encrypted is no longer than 5 minutes later
    -DC then pre-authenticates the package, and then continues to authenticate the rest of the Kerberos transaction proceeds

    -DC then generates a PAC (Privilege Access Certificate) containing their access, sid, logon hours, access restrictions etc
    -This is then packaged into a TGT and passed back to the client to decrypt

    Issuing A ST (Session Ticket)
    This ticket is only valid for a limited time and for a particular purpose. This is issued off the back of the TGT.

    -Client computer sends its TGT to the TGS/KDC/DC and requests a Session/Service Ticket
    -TGS/KDC/DC then sends a Session/Service Ticket to the client
    -Client computer sends the ST to a Validating Server (eg File Server)
    -Validating Server authenticates the ST
    -Client/Server Session is then established

    Any guidance/confirmation/links etc on the above would be appreciated.

    Thanks
     
  2. Revolate

    Revolate Nibble Poster

    70
    2
    15
    Yeah what he said ^ :biggrin


    http://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Authentication :rolleyes:
     
    Certifications: A+, N+, MCDST, NVQ3, ADITP.
    WIP: Server+ and a nice break?
  3. surfthegecko

    surfthegecko Bit Poster

    21
    0
    2
    Thanks, makes more sense now.
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.