Re: Kerberos v. AD
From: Dean Wells [MVP] (dwells_at_mask.msetechnology.com)
Date: 03/02/05
- Next message: Bill Nitz: "Re: LDAP query to retrieve all users in some groups or under some OU?"
- Previous message: Chris Hagon: "Re: Login script location"
- In reply to: Spin: "Re: Kerberos v. AD"
- Next in thread: Jean-Philippe: "Re: Kerberos v. AD"
- Reply: Jean-Philippe: "Re: Kerberos v. AD"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 2 Mar 2005 08:01:57 -0500
Microsoft also refer to the TGT as the user ticket and session tickets
as service tickets. I can only guess that your confusion is with the
overlap of 'user ticket' and 'user's token' (a less specific turn of
phrase). The TGT itself cannot be used for authorization against a
resource since the token within the PAC is incomplete. That is initial
TGTs are constructed by a KDC (at initial logon) that has authority over
your user principal, these contain only the user's SID, Universal group
SIDs and any other SIDs specifically from the user account's domain.
Additional TGTs (often known as TGS referrals or Ticket Granting Service
referrals) are constructed when you request tickets from trusted domains
or realms. Such TGTs will contain different and more SIDs than your
initial TGT because -
1. your existing SIDs may be listed as members of additional groups
within that KDC's domain
2. some of your existing SIDs are scoped in such a way that they serve
no purpose beyond the borders of your own domain (i.e. they can't be
used to authorize access to a resource outside of your domain - Domain
Local groups)
Session tickets are exclusively issued by KDCs with authority over the
service principal that houses the resource you wish to access. For
example, in the case of Windows 2000 or later, a Domain Controller that
contains the computer account that houses the service you're trying to
access will issue the session ticket. If both the user and computer
service principal are in the same domain, both the TGT and session
tickets will be issued one at a time by KDCs from the same domain, often
the same KDC. When initially logging on to a computer within a domain
it is still necessary to have at least 2 tickets; a TGT provided to you
following initial authentication and a session ticket that was provided
to you (upon automatic request) because you need to be authorized
against the local resources of the computer you're sitting at.
HTH
-- Dean Wells [MVP / Directory Services] MSEtechnology [[ Please respond to the Newsgroup only regarding posts ]] R e m o v e t h e m a s k t o s e n d e m a i l Spin wrote: > Thanks Dean! One last question if I may. I thought the user token > did what the Kerberos session ticket did? So now we have both a user > token and session ticket being presented tresources? > > > "Dean Wells [MVP]" <dwells@mask.msetechnology.com> wrote in message > news:O5kCSutHFHA.2924@TK2MSFTNGP15.phx.gbl... >> The TGT is the ticket initially given to an authenticating client >> once it has successfully presented valid credentials. The TGT is >> then later presented to KDCs (Key Distribution Centers / Windows >> DCs) by the client in order to validate the issuance of session >> tickets. The session tickets, once issued, are presented to >> resource servers by the client in order that they may authorize >> access to the requested service. >> >> Note that all tickets contain many attributes that dictate certain >> behaviors, for example - ticket expiry time, maximum renewal period >> and the ability for the client to (perhaps) be impersonated. >> >> -- >> Dean Wells [MVP / Directory Services] >> MSEtechnology >> [[ Please respond to the Newsgroup only regarding posts ]] >> R e m o v e t h e m a s k t o s e n d e m a i l >> >> Spin wrote: >>> Thanks Dean! Just to be clear, where does the Kerberos Ticket >>> granting ticket come into play in all of this? >>> >>> "Dean Wells [MVP]" <dwells@mask.msetechnology.com> wrote in message >>> news:e6CZkPrHFHA.3076@tk2msftngp13.phx.gbl... >>>> To be clear, Kerberos plays no part in the authorization process >>>> ... it is used exclusively for authentication. Kerberos creates >>>> ~secure constructs called tickets which contain an attribute known >>>> as the PAC (privileged attribute certificate) which in turn >>>> contains the Windows Access Token. This is a proprietary >>>> component (as it is on many OSs) used to fuel the authorization >>>> process for an ACLable (Access Control List) resource. >>>> >>>> Kerberos was selected by Microsoft as it was deemed to be a proven >>>> industry standard. Microsoft don't and shouldn't create >>>> proprietary mechanisms to provide features that are common among >>>> many plaforms (i.e. the process of auhentication). Adherence to >>>> industry standards hasn't long been a driving factor in Microsoft >>>> technologies, more recently it is ... this is a good, good thing! >>>> >>>> Active Directory is Microsoft's interpretation and offering of an >>>> LDAP service (with a specific slant toward maintaining >>>> compatibility with Microsoft's definition of domain) ... it >>>> exploits or depends upon a variety industry protocols including >>>> Kerberos, DNS and LDAP and offers a centralized configuration >>>> mechanism for many others, for example - IPsec. >>>> >>>> -- >>>> Dean Wells [MVP / Directory Services] >>>> MSEtechnology >>>> [[ Please respond to the Newsgroup only regarding posts ]] >>>> R e m o v e t h e m a s k t o s e n d e m a i l >>>> >>>> ptwilliams wrote: >>>>> What do you mean? AD does both. It uses Kerberos v5 for >>>>> authorisation, and then AD for secure authentication because of >>>>> Kerberos. >>>>> >>>>> Why write a propriety system, when there's an excellent industry >>>>> standard available. >>>>> >>>>> (Also, the US Justice Dept. and indeed the European one, would >>>>> prefer it if MS didn't write everything themselves, and bundle >>>>> everything as part of Windows ;-)
- Next message: Bill Nitz: "Re: LDAP query to retrieve all users in some groups or under some OU?"
- Previous message: Chris Hagon: "Re: Login script location"
- In reply to: Spin: "Re: Kerberos v. AD"
- Next in thread: Jean-Philippe: "Re: Kerberos v. AD"
- Reply: Jean-Philippe: "Re: Kerberos v. AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
