The following excerpt, courtesy of Elsevier Digital Press, is from Chapter 5 of the book
"Windows Server 2003 security infrastructures" written by Jan De Clercq. Click for the complete book
excerpt series or purchase
Logging on to Windows using Kerberos:
Single domain environment
Now that we have explained the basic Kerberos protocol, we can discuss some real-world Windows Kerberos logon examples. In this section we will look in detail at both local and network logon features in single and multiple domain environments and in a multiple forest scenario.
Typical examples of logon method in a single domain environment are:
- Alice is logging on from a machine that is a member of the domain where Alice's user account
has been defined (this is a local logon method).
- Alice accesses a resource located on a machine that is a member of Alice's logon domain (this is a network logon method).
Local logon process
Figure 5.11 shows what happens during a local logon process in a single domain environment.
Everything starts when Alice presses Ctrl+Alt+Del and chooses to log on to the domain.
2. Once the DC is found, Alice sends a Kerberos authentication request to the DC. This request authenticates Alice to the DC and contains a TGT request (KRB_AS_REQ).
3. The Authentication Service authenticates Alice, generates a TGT, and sends it back to the client (KRB_AS_REP).
Figure 5.11 Local logon process in a single domain environment.
5. The TGS of the DC checks the TGT and the authenticator, generates a ticket for the local machine, and sends it back to Alice (KRB_TGS_REP).
6. On Alice's machine, the ticket is presented to the Local Security Authority, which will create an access token for Alice. From then on, any process acting on behalf of Alice can access the local machine's resources.
Network logon process
When Alice is already logged onto a domain and wants to access a resource located on a server within the same domain, a network logon process will take place. In this case, the logon sequence is as follows (see Figure 5.12):
2. The TGS of the DC checks the authenticator, generates a server ticket, and sends it back to Alice (KRB_TGS_REP).
3. Alice sends the ticket (together with an authenticator) to the application server (KRB_AP_REQ).
4. The application verifies the ticket with the authenticator and sends back his or her authenticator to Alice for server authentication (KRB_AP_REP).
Figure 5.12 Network logon process in a single domain environment.
Disabling Kerberos in migration scenarios
In certain migration scenarios it may be necessary to disable the Kerberos authentication protocol on your Windows Server 2003 domain controllers. Remember from Chapter 4 that for Windows 2000 Professional and later clients, the first authentication protocol of choice is always Kerberos -- at least if the client is talking to a Windows 2000 or later DC.
Imagine the following migration scenario: You have migrated all your client platforms to Windows XP and you upgraded one of your Windows NT4.0 DCs to Windows Server 2003 -- all the remaining DCs are still on NT4.0. In this scenario the one and only Windows Server 2003 DC may become overloaded by Kerberos authentication traffic because all Windows XP clients try to authenticate against it. Also, if this DC becomes unavailable, the clients cannot be authenticated anymore. Once a client has been authenticated by a Kerberos KDC it will not fall back to NTLM and NT4 DCs. This is a typical scenario where you may want to temporarily disable the Kerberos authentication protocol on the Windows Server 2003 DC.
To disable Kerberos, Microsoft provides a registry hack (the hack is available from Windows 2000 Service Pack 2 onward). The hack is called NT4Emulator (REG_DWORD) and should be added to the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/ Parameters registry key of the Windows 2000 SP2 or later DC and set to value 1.
The creation of this key on the Windows 2000 SP2 or later DC creates another problem because it will make it impossible to manage the AD using any of the MMC-based AD management tools. To get around this problem, you must make a registry change on the clients from which you want to use the AD management tools. Add the NeutralizeNT4Emulator registry value (REG_DWORD) in the HKEY_LOCAL_MACHINE/System/Current-ControlSet/Services/Netlogon/Parameters registry key and set it to value 1.
The role of SPNs
One of the great features of Kerberos is its support for mutual authentication. The enabling technologies for mutual authentication are the Kerberos protocol itself, User Principal Names (UPNs), and Service Principal Names (SPNs). The UPN and SPN concepts were introduced in Chapter 2. In the following we will look at how SPNs are used during the Kerberos authentication exchanges.
Let's take the example of a network logon process: A user decides to access a file on another server during his or her logon session. In this example the following SPN-related events will occur during the authentication exchanges:
- The Kerberos software on the client side constructs a Kerberos "KRB_TGS_REQ" message,
containing the user's TGT and the SPN of the service that is responsible for the file the user
wants to access. This message is sent to the user's domain controller. A Kerberos client can always
construct a service's SPN -- how this works was explained in Chapter 2.
- The KDC queries the AD (In the first place it will query the local domain Naming Context of the
user's authentication DC; after that, it will query the global catalog.) to find an account that
has a matching SPN (this process is also known as "resolving" the SPN). The service's SPN must be
unique in the AD. If more than one account is found with a corresponding SPN, the authentication
- Given the service account corresponding to the SPN and the associated master key, the KDC can
construct a service ticket and send it back to the client. (This is the "KRB_TGS_REP"
- In the next step the client sends a "KRB_AP_REQ" message to the file server (including the
service ticket and a Kerberos authenticator).
- Finally, the service will authenticate back to the client (this is the "KRB_AP_REP" message). This is where the real mutual authentication happens.
Click for the next excerpt in this series: Logging on to Windows using Kerberos: Multiple domain environment.
This was first published in September 2004