Understanding Kerberos in Microsoft Active Directory

This short article breaks down the properties of Kerberos, Microsoft's primary authentication protection mechanism, with details on how it works in Active Directory.

Anyone who's been in the IT field in the last three years is aware that Windows 2000 Active Directory uses Kerberos

as its default and primary authentication protection mechanism. But what most may not know is that Kerberos provides more of the foundation for Active Directory than they may think.

Kerberos is an open-standard security protocol and network authentication service. It is supported by a wide number of platforms, most notably (and widely) by Unix and its variants. Kerberos was designed to provide a means of secure authentication over the Internet.

Microsoft's Active Directory employs Kerberos for numerous activities, including user and system authentication, and authorization of network resource access. Non-Kerberos supporting platforms, such as Windows NT, must rely upon the IP address or some proprietary identification mechanism to provide a system of authentication for users, systems and resource access, but Kerberos uses a form of certificate credentials called tickets to perform a wide range of authentication and authorization functions.

In addition to using Kerberos for authentication and authorization, Active Directory also relies upon Kerberos for its trust relationships. Kerberos trusts are created automatically between domains within a forest. All internal-forest Kerberos trusts are two-way (bi-directional) and transitive. Thus, if domain A trusts domain B and domain B trusts domain C and domain C trusts domain D, then by the transitive nature of Kerberos trusts, domain A trusts domain C and domain D, and domain B trusts domain D as well. The transitive nature of these trusts allows easier administrative control when granting users from one domain access to resources in another domain within the same forest.


James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.


This was first published in March 2003

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close