The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of
the book "Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the
excerpt series or purchase
Advanced Kerberos topics
To help you navigate this excerpt more quickly and easily, please use the following guide.
Kerberized applications are applications that use the Kerberos authentication protocol to provide authentication (and maybe in a later phase to provide encryption and signing for subsequent messages). Windows 2000 and Windows Server 2003 include the following Kerberized applications:
- LDAP to AD
- CIFS/SMB remote file access. Common Internet File System (CIFS) is the new name of Microsoft's SMB protocol that is mainly used for file and print sharing.
- Secure dynamic DNS update
- Distributed File System Management
- Host to Host IPsec using ISAKMP
- Secure intranet Web services using IIS
- Authenticate certificate request to certification authority (CA)
- DCOM RPC security provider
Windows 2000 and Windows Server 2003 include extensions to Kerberos Version 5 to support public-key–based authentication. These extensions are known as PKINIT—which stands for use of Public Key cryptography for INITial authentication—and are defined in an IETF Internet draft available from http://www.ietf.org. PKINIT enables the smart card logon process to a Windows 2000 or later domain. PKINIT allows a client's master key to be replaced with its public key credentials in the Kerberos Authentication Request (KRB_AS_REQ) and Reply (KRB_AS_REP) messages. This is illustrated in Table 5.9.
PKINIT introduces a new trust model (illustrated on the right side of Figure 5.32) in which the KDC is not the first entity to identify the users (as is the case for classical Kerberos). Before KDC authentication, users are identified by the certification authority in order to obtain a certificate. In this new model the users and the KDC obviously both need to trust the same CA.
Smart card logon trust model
Figure 5.33 shows the way the Kerberos smart card logon process works (notice that the cryptic names of the Kerberos messages have changed):
- Alice starts the logon process by introducing her smart card and by authenticating to the card using her PIN code. The smart card contains Alice's public key credentials: her private key and certificate.
- A TGT request is sent to the KDC (AS); this request contains the following (PA-PK-AS-REQ):
- Alice's principal name and a timestamp
- The above signed with Alice's private key
- A copy of Alice's certificate
Smart card logon process
- To validate the request and the digital signature on it, the KDC will first validate Alice's certificate. The KDC will then query the Active Directory for a mapping between the certificate and a Windows account. If it finds a mapping, it will issue a TGT to the corresponding account.
- The KDC sends back the TGT to Alice. Alice's copy of the session is encrypted with her public key (PA-PK-AS-REP).
- To retrieve her copy of the session key, Alice uses her private key. We will come back to smart card support in Windows Server 2003 in Chapter 17.
The Windows Server 2003 Resource Kit contains two utilities you can use to look at the content of the Kerberos ticket cache: kerbtray.exe (illustrated in Figure 5.30) and klist.exe (illustrated in Figure 5.31). Kerbtray.exe is a GUI tool, and klist.exe is a command-line tool. Both tools can be used to display and/or purge the content of the Kerberos ticket cache.
To bring up the kerbtray dialog box and look at your logon session's Kerberos ticket cache, double-click the kerbtray icon in the status area of your Windows desktop. The kerbtray icon is only displayed if you started the kerbtray program—it looks like a green ticket.
The upper pane of the kerbtray dialog box shows all Kerberos tickets (both service tickets and TGTs) that are cached in your logon session's Kerberos ticket cache. The lower part of the dialog box has four tabs: Names, Times, Flags and Encryption Types. The content of these tabs differs depending on the ticket that is selected in the upper pane.
- The Names tab shows the name of the security principal the Kerberos ticket was issued to [this is the user's User Principal Name (UPN)], together with the name of the service for which the ticket was issued [this is the service's Service Principal Name (SPN)].
- The Times tab shows the validity period of the ticket: its start and end time. For both TGTs and tickets, the default validity period is 10 hours.
- The Flags tab shows the Kerberos ticket flags that have been set in the ticket. Examples of ticket flags are the forwarded and proxy flags used during the Kerberos delegation process. For a more detailed explanation of all the Kerberos ticket flags, I refer to the Kerberos Version 5 (V5) standard document [Request For Comments (RFC) 1510], which can be downloaded from the IETF Web site at http://www.ietf.org.
- Finally, the Encryption Types tab shows the names of the symmetric encryption algorithms that were used by the Kerberos software to encrypt the tickets' content.
Looking at the Kerberos ticket cache using the Klist utility.
To purge the tickets in the Kerberos ticket cache, right-click the kerbtray icon in your desktop's status area and select Purge Tickets. This option deletes all tickets in your ticket cache. Use this option with extreme caution: Deleting tickets may stop you from authenticating to other Windows services during your logon session. If you have purged your tickets, you can only obtain new ones by logging off and then logging on again.
To display the content of the Kerberos ticket cache using the klist command-line utility, type the following at the command prompt:
The first command will bring up the service tickets in the cache, and the second command will bring up the TGTs in the cache. To purge the cache from the command line, type:
Again, use the latter command with extreme caution.
The kerbtray utility displays more ticket information than the klist utility does -- it also displays the information in a much more readable format. For example, the klist utility displays the TGT tickets flags altogether in a single hexadecimal string: It is up to the user to decipher this string and retrieve the associated ticket flags.
Click for the next excerpt in this series: Kerberos
This was first published in October 2004