Anyone who's been in the IT field in the last three years is aware that Windows 2000 Active Directory uses Kerberos
as its default and primary authentication protection mechanism. But what most may not know is that Kerberos provides more of the foundation for Active Directory than they may think.
Kerberos is an open-standard security protocol and network authentication service. It is supported by a wide number of platforms, most notably (and widely) by Unix and its variants. Kerberos was designed to provide a means of secure authentication over the Internet.
Microsoft's Active Directory employs Kerberos for numerous activities, including user and system authentication, and authorization of network resource access. Non-Kerberos supporting platforms, such as Windows NT, must rely upon the IP address or some proprietary identification mechanism to provide a system of authentication for users, systems and resource access, but Kerberos uses a form of certificate credentials called tickets to perform a wide range of authentication and authorization functions.
In addition to using Kerberos for authentication and authorization, Active Directory also relies upon Kerberos for its trust relationships. Kerberos trusts are created automatically between domains within a forest. All internal-forest Kerberos trusts are two-way (bi-directional) and transitive. Thus, if domain A trusts domain B and domain B trusts domain C and domain C trusts domain D, then by the transitive nature of Kerberos trusts, domain A trusts domain C and domain D, and domain B trusts domain D as well. The transitive nature of these trusts allows easier administrative control when granting users from one domain access to resources in another domain within the same forest.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.