Understanding Kerberos in Microsoft Active Directory

Anyone who's been in the IT field in the last three years is aware that Windows 2000 Active Directory uses Kerberos as its default and primary authentication protection mechanism. But what most may not know is that Kerberos provides more of the foundation for Active Directory than they may think.

Kerberos is an open-standard security protocol and network authentication service. It is supported by a wide number of platforms, most notably (and widely) by Unix and its variants. Kerberos was designed to provide a means of secure authentication over the Internet.

Microsoft's Active Directory employs Kerberos for numerous activities, including user and system authentication, and authorization of network resource access. Non-Kerberos supporting platforms, such as Windows NT, must rely upon the IP address or some proprietary identification mechanism to provide a system of authentication for users, systems and resource access, but Kerberos uses a form of certificate credentials called tickets to perform a wide range of authentication and authorization functions.

In addition to using Kerberos for authentication and authorization, Active Directory also relies upon Kerberos for its trust relationships. Kerberos trusts are created automatically between domains within a forest. All internal-forest Kerberos trusts are two-way (bi-directional) and transitive. Thus, if domain A trusts domain B and domain B trusts domain C and domain C trusts domain D, then by the transitive

    Requires Free Membership to View

nature of Kerberos trusts, domain A trusts domain C and domain D, and domain B trusts domain D as well. The transitive nature of these trusts allows easier administrative control when granting users from one domain access to resources in another domain within the same forest.

James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.

This was first published in March 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.