Re: Kerberos v. AD
From: Dean Wells [MVP] (dwells_at_mask.msetechnology.com)
Date: 03/02/05
- Next message: Spin: "Re: Kerberos v. AD"
- Previous message: Al Mulnick: "Re: Active Directory Question"
- In reply to: Spin: "Re: Kerberos v. AD"
- Next in thread: Spin: "Re: Kerberos v. AD"
- Reply: Spin: "Re: Kerberos v. AD"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 1 Mar 2005 22:54:32 -0500
The TGT is the ticket initially given to an authenticating client once
it has successfully presented valid credentials. The TGT is then later
presented to KDCs (Key Distribution Centers / Windows DCs) by the client
in order to validate the issuance of session tickets. The session
tickets, once issued, are presented to resource servers by the client in
order that they may authorize access to the requested service.
Note that all tickets contain many attributes that dictate certain
behaviors, for example - ticket expiry time, maximum renewal period and
the ability for the client to (perhaps) be impersonated.
-- Dean Wells [MVP / Directory Services] MSEtechnology [[ Please respond to the Newsgroup only regarding posts ]] R e m o v e t h e m a s k t o s e n d e m a i l Spin wrote: > Thanks Dean! Just to be clear, where does the Kerberos Ticket > granting ticket come into play in all of this? > > "Dean Wells [MVP]" <dwells@mask.msetechnology.com> wrote in message > news:e6CZkPrHFHA.3076@tk2msftngp13.phx.gbl... >> To be clear, Kerberos plays no part in the authorization process ... >> it is used exclusively for authentication. Kerberos creates ~secure >> constructs called tickets which contain an attribute known as the PAC >> (privileged attribute certificate) which in turn contains the Windows >> Access Token. This is a proprietary component (as it is on many OSs) >> used to fuel the authorization process for an ACLable (Access Control >> List) resource. >> >> Kerberos was selected by Microsoft as it was deemed to be a proven >> industry standard. Microsoft don't and shouldn't create proprietary >> mechanisms to provide features that are common among many plaforms >> (i.e. the process of auhentication). Adherence to industry >> standards hasn't long been a driving factor in Microsoft >> technologies, more recently it is ... this is a good, good thing! >> >> Active Directory is Microsoft's interpretation and offering of an >> LDAP service (with a specific slant toward maintaining compatibility >> with Microsoft's definition of domain) ... it exploits or depends >> upon a variety industry protocols including Kerberos, DNS and LDAP >> and offers a centralized configuration mechanism for many others, >> for example - IPsec. >> >> -- >> Dean Wells [MVP / Directory Services] >> MSEtechnology >> [[ Please respond to the Newsgroup only regarding posts ]] >> R e m o v e t h e m a s k t o s e n d e m a i l >> >> ptwilliams wrote: >>> What do you mean? AD does both. It uses Kerberos v5 for >>> authorisation, and then AD for secure authentication because of >>> Kerberos. >>> >>> Why write a propriety system, when there's an excellent industry >>> standard available. >>> >>> (Also, the US Justice Dept. and indeed the European one, would >>> prefer it if MS didn't write everything themselves, and bundle >>> everything as part of Windows ;-)
- Next message: Spin: "Re: Kerberos v. AD"
- Previous message: Al Mulnick: "Re: Active Directory Question"
- In reply to: Spin: "Re: Kerberos v. AD"
- Next in thread: Spin: "Re: Kerberos v. AD"
- Reply: Spin: "Re: Kerberos v. AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
