Welcome Sign in
Windows Client TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
Windows Server 2003
 How the Kerberos Version 5 Authenti...
How the Kerberos Version 5 Authentication Protocol Works

Updated: May 8, 2008

How the Kerberos Version 5 Authentication Protocol Works

In this section

The Kerberos Network Authentication Service version 5, defined in RFC 1510, provides a means of verifying the identities of principals on an open, potentially insecure network. This section discusses how the RFC standard Kerberos version 5 authentication protocol is used in Windows Server 2003.

This section is divided into four subsections:

  • Kerberos SSP Architecture illustrates how the Microsoft Security Support Provider Interface (SSPI) in Windows Server 2003 provides a mechanism of generic routines that can access the Kerberos Security Support Provider (SSP).
  • Kerberos Physical Structure discusses components of the Windows Server 2003 implementation of Kerberos authentication. These components include keys, tickets, and the Key Distribution Center (KDC).
  • Kerberos V5 Authentication Protocol Processes and Interactions illustrates how the Kerberos protocol is used in different situations, details what is included in Kerberos messages, and discusses other related technologies. The examples will show the complete process, including related components and processes that are not defined by the Kerberos Network Authentication Service. Some processes—such as how to find an authentication service, what credentials information is passed, and where credentials information is stored—are specific to Windows systems and might or might not differ in other implementations of the Kerberos protocol.
  • Network Ports Used by the Kerberos V5 Protocol tabulates networks ports used during Kerberos authentication.

Kerberos SSP Architecture

Windows Server 2003 implements the Kerberos V5 authentication protocol as a Security Support Provider (SSP), a dynamic-link library (DLL) supplied with the operating system. Windows Server 2003 includes an SSP for NTLM authentication as well. By default, both SSPs are loaded by the Local Security Authority (LSA) on a Windows Server 2003 computer when the system boots. The system can use either SSP to authenticate network logons and client/server connections. Which SSP is used depends on the capabilities of the computer on the other side of the connection and the preferences of the individual application that is being used.

The Microsoft SSPI is the foundation for authentication in Windows Server 2003. That is, applications and infrastructure services that require authentication use SSPI to provide it.

The SSPI is the implementation of the Generic Security Service API (GSSAPI) in Windows Server 2003. For more information about GSSAPI, see RFC 2743 and RFC 2744 in the IETF RFC Database.

The default SSPs in Windows Server 2003—Negotiate (SPNEGO), Kerberos, NTLM, Schannel, and Digest authentication protocols—are plugged into the SSPI in the form of DLLs. Additional SSPs can be plugged in if they can interoperate with the SSPI.

SSPI Architecture graphic

SSPI Architecture

The SSPI in Windows Server 2003 provides a mechanism that carries authentication tokens over the existing communication channel between the client and server. When two parties need to be authenticated so that they can communicate securely, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use. The SSPI returns transparent binary large objects, which are then passed to the other side of the connection by the application, at which point they can be passed to the SSPI layer on that side. Thus, the SSPI enables an application to use various security models available on a computer or network without changing the interface to the security system.

The following table describes the SSP components that are plugged into the SSPI. Each of the protocols in the table is used in different ways in Windows Server 2003 to promote secure communication in an insecure network environment.

SSP Layer Components

 

Component Description

Kerberos V5 authentication

An industry-standard protocol that is used with either a password or a smart card for interactive logon. It is also the preferred authentication method for services in Windows 2000 and Windows Server 2003.

NTLM authentication

A challenge-response protocol that is used to provide compatibility with versions of Windows earlier than Windows 2000.

Digest authentication

An industry standard that is used in Windows Server 2003 for Lightweight Directory Access Protocol (LDAP) and Web authentication. Digest transmits credentials across the network as an MD5 hash or message digest.

Schannel

An SSP that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. Schannel is used for Web-based server authentication such as when a user attempts to access a secure Web server.

Negotiate

An SSP that can be used to negotiate a specific authentication protocol. When an application calls into SSPI to log on to a network, it can specify an SSP to process the request. If the application specifies Negotiate, Negotiate analyzes the request and picks the best SSP to handle the request based on customer-configured security policy.

Kerberos SSP

Windows Server 2003 implements the Kerberos V5 authentication protocol as an SSP, a DLL supplied with the operating system. The system uses the Kerberos SSP, Kerberos.dll, as its first choice for authentication. After the LSA establishes a security context for an interactive user, another instance of the Kerberos SSP can be loaded by a process running in the user's security context to support the signing and sealing of messages.

Because the Kerberos protocol is the preferred authentication protocol for Windows Server 2003, all domain services support the Kerberos SSP, including:

  • Active Directory queries using the Lightweight Directory Access Protocol (LDAP)
  • Remote server or workstation management using RPC calls
  • Print services
  • Client-server authentication
  • Remote file access using the Common Internet File System/Server Message Block (CIFS/SMB)
  • Distributed file system management and referrals
  • Intranet authentication to Internet Information Services (IIS)
  • Security authority authentication for Internet Protocol Security (IPSec)
  • Certificate requests to Certificate Services for domain users and computers

Kerberos Physical Structure

Kerberos authentication provides a mechanism for mutual authentication between a client and a server on an open network—a network in which packets transmitted along the network could be monitored and modified at will. In order to provide secure authentication, Kerberos authentication uses symmetric keys, encrypted objects, and Kerberos services.

This subsection will cover the following topics:

  • Keys Used in Kerberos Authentication
  • Kerberos Tickets
  • The Authenticator
  • Credentials Cache
  • Key Distribution Center
  • The Kerberos Realm

Kerberos Components

The Kerberos Realm Kerberos Components

Keys Used in Authentication

Why are keys needed?

The Kerberos protocol relies heavily on an authentication technique involving shared-secret keys. The basic shared-secret concept is quite simple: If a secret is known by only two people, then either person can verify the identity of the other by confirming that the other person knows the secret.

For example, suppose that Alice often sends messages to Bob, and that Bob needs to ensure that a message from Alice really has come from Alice before he acts on its information. They decide to solve their problem by selecting a password and agreeing to share the secret password between the two of them, but not with anyone else. If a message purported to be from Alice can somehow demonstrate that the sender knows the password, Bob can verify that the sender is indeed Alice.

The only question left for Alice and Bob to resolve is how Alice will show that she knows the password. She could include it somewhere in her messages, perhaps in a signature block at the end—Alice, Our$ecret. This would be simple and efficient and would be effective if Alice and Bob could be sure that no one else is reading their mail. Unfortunately, their messages pass over a network used by people like Carol, who uses a network analyzer to scan traffic in hope that one day she might spot a password. Thus, Alice must not prove that she knows the secret by including it in her message. To keep the password secret, she must show that she knows it without revealing it.

The Kerberos protocol solves this problem with secret key cryptography. Instead of sharing a password, communication partners share a cryptographic key, and they use knowledge of this key to verify one another's identity. In order for the technique to work, the shared key must be symmetric—that is, a single key must be capable of both encryption and decryption. One party proves knowledge of the key by encrypting a piece of information; the other proves knowledge of the key by decrypting the information.

Kerberos authentication relies on several keys and key types for encryption. Key types can include long-term symmetric keys, long-term asymmetric keys, and short-term symmetric keys. The authentication protocol was designed to use symmetric encryption, meaning that the same shared key is used by the sender and the recipient for encryption and decryption.

Long-Term Symmetric Keys: User, System, Service, and Inter-realm Keys

The long-term symmetric keys are derived from a password. The plaintext password is transformed into a cryptographic key by passing the text of the password through a cryptographic function. (All implementations of the Kerberos version 5 authentication protocol must support DES-CBC-MD5. Other algorithms are permissible.) The result of the cryptographic function is the key.

User keys

When a user is created, the password is used to create the user key. In Active Directory domains, the user key is stored with the user's object in the Active Directory. At the workstation, the user key is created when the user logs on.

System keys

When a workstation or a server joins a Windows domain, it receives a password. In the same manner as a user account, the system account's password is used to create the system key.

Service keys

Services use a key based on the account password they use to log on.

All KDCs in the same realm use the same service key. This key is based on the password assigned to the krbtgt account. Every Active Directory domain will have this built-in account.

Inter-realm keys

In order for cross-realm authentication to occur, the KDCs must share an inter-realm key. The realms can then trust each other because they share the key.

Active Directory domains that have a parent-child relationship share an inter-realm key. This inter-realm key is the basis of transitive trusts in Windows 2000 and Windows Server 2003. If a shortcut trust is created, the two domains will exchange a key specifically for their trust.

Kerberos SSP encryption key lengths

Kerberos SSP supports different encryption types and key lengths depending on the task to be completed and the options specified. Although the size of the key determines the degree of protection the key provides, key size does not significantly impact the size of the ticket. The following table lists the key lengths that Kerberos SSP supports for the various types of encryption.

Key Lengths for Encryption Types

 

Encryption Algorithm Key Length

RC4-HMAC

128

DES-CBC-CRC

56

DES-CBC-MD5

56

Long-Term Asymmetric Keys: Public Key

Currently, public-key certificates stored on smart cards are the only long-term asymmetric keys in the Microsoft implementation of Kerberos authentication.

Short-Term Symmetric Keys: Session Keys

The session keys used for ticket-granting tickets (TGTs) and service tickets are short-lived and used only as long as that session or service ticket is valid.

Kerberos Tickets

The main component of Kerberos authentication is the ticket. The Kerberos messages are used to request and deliver tickets. There are two types of tickets used in Kerberos authentication, TGTs and service tickets.

Kerberos Ticket Requests

The Kerberos client sends ticket requests to the KDC:

 

Requested Ticket Type KDC Service That Receives Request

TGT

Authentication service

Service ticket

Ticket-granting service

The ticket requests include:

  • Requested properties (flags), such as whether the ticket is renewable.
  • Requested encryption method.

Ticket-Granting Tickets

The KDC responds to a client's authentication service request by returning a service ticket for itself. This special service ticket is called a ticket-granting ticket (TGT). A TGT enables the authentication service to safely transport the requester's credentials to the ticket-granting service.

A TGT is:

  • A user's initial ticket from the authentication service.
  • Used to request service tickets.
  • Meant only for use by the ticket-granting service.

TGTs are encrypted with a key shared by the KDCs. The client cannot read tickets. Only KDC servers can read TGTs to secure access to user credentials, session keys, and other information. Like an ordinary service ticket, a TGT contains a copy of the session key that the service (in this case the KDC) will use in communicating with the client. The TGT is encrypted with the KDC's long-term key.

From the client's point of view, a TGT is just another ticket. Before it attempts to connect to any service, the client first checks its credentials cache for a service ticket to that service. If it does not have one, it checks the cache again for a TGT. If it finds a TGT, the client fetches the corresponding TGS session key from the cache, uses this key to prepare an authenticator (described later in this document), and sends both the authenticator and the TGT to the KDC, along with a request for a service ticket for the service. In other words, gaining admission to the KDC is no different from gaining admission to any other service in the domain—it requires a session key, an authenticator, and a ticket.

From the KDC's point of view, TGTs enable it to avoid the performance penalties of looking up a user's long term key every time the user requests a service. The KDC looks up the user's long-term key only once, when it grants an initial TGT. For all other exchanges with this client, the KDC can decrypt the TGT with its own long-term key, extract the session key, and use that to validate the client's authenticator.

Service tickets

A service ticket enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.

The KDC responds to the client's request to connect to a service by sending both copies of the session key to the client. The client's copy of the session key is encrypted with the key that the KDC shares with the client. The service's copy of the session key is embedded, along with information about the client, in a data structure called a service ticket. The entire structure is then encrypted with the key that the KDC shares with the service. The ticket—with the service's copy of the session key safely inside—becomes the client's responsibility to manage until it contacts the service.

A service ticket is used to authenticate with services other than the TGS and is meant only for the target service.

A service ticket is encrypted with a service key, which is a long-term key shared by the KDC and the target service. Thus, although the client manages the service ticket, the client cannot read it. Only the KDC and the target service can read tickets, enabling secure access to user credentials, the session key, and other information.

Note

  • The KDC is simply providing a ticket-granting service. It does not keep track of its messages to make sure they reach the intended address. No harm will be done if the KDC's messages fall into the wrong hands. Only someone who knows the client's secret key can decrypt the client's copy of the session key. Only someone who knows the server's secret key can read what is inside the ticket.

When the client receives the KDC's reply, it extracts the ticket and the client's copy of the session key, putting both aside in a secure cache (located in volatile memory, not on disk). When the client wants admission to the server, it sends the server a message that consists of the ticket, which is still encrypted with the server's secret key, and an authenticator, which is encrypted with the session key. The ticket and authenticator together are the client's credentials to the server.

Benefits of service tickets

The server does not have to store the session key that it uses in communicating with clients. It is the client's responsibility to hold a ticket for the server in its credentials cache and present the ticket each time it wants access to the server. Whenever the server receives a service ticket from a client, the server can use its secret key to decrypt the ticket and extract the session key. When the server no longer needs the session key, it can discard it.

The client does not need to go back to the KDC each time it wants access to this particular server. Service tickets can be reused. To guard against the possibility that someone might steal a copy of a ticket, service tickets have an expiration time that is specified by the KDC in the ticket's data structure.

How long a ticket is valid depends on the policy for the realm. Although the RFC recommends a maximum ticket lifetime of one day, in both MIT Kerberos 5 Release 1.3.1 and the Windows 2000 or Windows Server 2003 implementations of the Kerberos protocol, tickets are good for no longer than 10 hours by default, about the length of a normal logon session. When the user logs off, the credentials cache is flushed and all service tickets—as well as all session keys—are destroyed.

What Is in a Ticket?

For our purpose here, it is enough to list the fields in a ticket and to describe the information they contain. The exact data structures for tickets as well as messages can be found in RFC 1510.

The first three fields in a ticket are not encrypted. The information is in plaintext so that the client can use the information to manage tickets in its cache.

Ticket Contents

 

Field Name Description

Ticket Version Number

5

Realm

Name of the realm (domain) that issued the ticket. A KDC can issue tickets only for servers in its own realm, so this is also the name of the server's realm.

Server Name

Name of the server.

 

The following fields are encrypted with the server's secret key.

Flags

Options that specify how and when the ticket can be used. See table below for details about ticket flags.

Key

The session key used to encrypt and decrypt client and target server messages.

Client Realm

Name of the requester's realm.

Client Name

Requester's name.

Transited

Lists the Kerberos realms that took part in the authentication of the client during cross-realm authentication.

Authentication Time

Time of initial authentication by the client.

The KDC places a timestamp in this field when it issues a TGT. When it issues tickets based on a TGT, the KDC copies the authentication time of the TGT to the authentication time of the ticket.

An application could have a policy to reject tickets that were based on "old" TGTs, requiring the client to obtain a new TGT and then a new service ticket.

Start Time

Time after which the ticket is valid.

End Time

Ticket's expiration time.

Renew Till

(Optional) Maximum end time that can be set in a ticket with a RENEWABLE ticket flag.

Client Address

(Optional) One or more addresses from which the ticket can be used. If omitted, the ticket can be used from any address.

Authorization-Data

(Optional) This field contains authorization data for the client.

In MIT's implementation of the Kerberos protocol, this field normally contains access restrictions. For example, if this were a ticket for a print server sent by a client wishing to print a file, the file name could be included here, restricting the print server's access on behalf of the client to only this file.

In the Microsoft implementation, this field is significant because it contains the user's SID and the SIDs of groups the client belongs to—data which is used to build the client's access token (the privilege attributes for the client).

The Kerberos service does not interpret the contents of this field. Interpretation is left up to the service requesting credentials.

The following table lists and describes the Kerberos ticket Flag field. The Flag field is a bit-field in which options are set by turning a particular bit on (1) or off (0). Although the field is 32 bits long, only 11 ticket flags are of interest to Kerberos administrators.

Ticket Flags

 

Flag Description

FORWARDABLE

(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.

FORWARDED

Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.

PROXIABLE

(TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.

PROXY

Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.

MAY-POSTDATE

(TGT only). Tells the ticket-granting service (TGS) that a postdated ticket can be issued.

POSTDATED

Indicates that the ticket has been postdated.

INVALID

Indicates that the ticket is invalid and must be validated by the KDC before use. A postdated ticket is flagged as invalid until its valid start time.

RENEWABLE

Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.

INITIAL

Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.

PRE-AUTHENT

Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.

HW-AUTHENT

Indicates that the initial authentication required the use of hardware.

What information clients have about tickets

A client needs to have some information about what is inside tickets and TGTs in order to manage its credentials cache. When the KDC returns a ticket and session key as the result of an authentication service (AS) or ticket-granting service (TGS) exchange, it packages the client's copy of the session key in a data structure that includes the information in the following ticket fields: Authentication Time, Start Time, End Time, and Renew Till. The entire structure is encrypted in the client's key and returned with the KRB_AS_REP or KRB_TGS_REP messages.

Kerberos authorization data for Windows accounts

The Kerberos protocol describes a number of fields to be used in the authentication exchange. One of these, the optional authorization data field, is intended to be specific to the end service, in this case, Microsoft authorization. The Microsoft implementation follows the Kerberos specification (RFC 1510) by using the authorization field to store information about user identity and group membership. This information is stored in Microsoft authorization data that is generated by a domain controller during an AS or TGS request. The Microsoft authorization data includes the following groups of information:

  • Credential information. Information about the ticket and the client, such as Group IDs, which list relative IDs (RIDs) that belong to the client for his or her domain and groups.
  • Client information. Ensures that the ticket belongs to the client who is submitting it.
  • Supplemental credentials. Returned by the KDC service to enable PKINIT.
  • Signatures. The Microsoft authorization data contains two digital signatures, one for the domain controller and one for the server offering the service. These signatures are used to prevent clients or untrusted services from generating their own forged Microsoft authorization data.
  • PAC-request pre-authentication data. Normally, the Microsoft authorization data is included in every pre-authenticated ticket received from an AS request. However, a client can also explicitly request — with the privilege attribute certificate (PAC)-request pre-authentication data field — to include or not include SIDs. If the field is present, the account SIDs will be included. If the field is not present, SIDs will not be included.

For more information about Microsoft authorization data present in Kerberos tickets issued by Windows domain controllers, see "Utilizing the Windows 2000 Authorization Data in Kerberos Tickets for Access Control to Resources," a Windows Development (General) topic on MSDN.

How the KDC limits a ticket's lifetime

Each ticket has a start time and an expiration time. At any time after the start time but before the expiration time, a client holding a ticket for a service can present the ticket and gain access to the service, no matter how many times the client has used the ticket before. In order to reduce the risk that a ticket or the corresponding session key might be compromised, administrators can set the maximum lifetime for tickets. The maximum lifetime for tickets setting is an element of Kerberos policy.

When a client asks the KDC for a ticket to a service, the client can request a specific start time. If this time is missing from the request or is a time in the past, the KDC sets the ticket's start time field to the current time.

Whether or not a client specifies a start time, its request must include a desired expiration time. The KDC determines the value in a ticket's End Time field by adding the maximum ticket life fixed by Kerberos policy to the value in the ticket's Start Time field. It then compares the result with the requested expiration time. Whichever time is sooner becomes the ticket's end time.

What happens when tickets expire

The KDC does not notify clients when service tickets or TGTs are about to expire. Furthermore, other than keeping short-term records needed to prevent replay attacks, it does not keep track of transactions with clients.

If a client presents an expired service ticket when requesting a connection to a server, the server returns an error message. The client must request a new service ticket from the KDC. After a connection is authenticated, however, it no longer matters whether the service ticket remains valid. Service tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the service ticket used to authenticate the connection expires during the connection.

If a client presents an expired TGT when requesting a service ticket from the KDC, the KDC responds with an error message. The client must request a new TGT, and to do that it needs the user's long-term key. If the client did not cache the user's long-term key during the initial logon process, the client might have to ask the user for a password and derive the long-term key.

Renewable TGTs

When tickets are renewable, session keys are refreshed periodically without issuing a completely new ticket. If Kerberos policy permits renewable tickets, the KDC sets a RENEWABLE flag in every ticket it issues and sets two expiration times in the ticket. One expiration time limits the life of the current instance of the ticket; the second expiration time sets a limit on the cumulative lifetime of all instances of the ticket.

The expiration time for the current instance of the ticket is held in the End Time field. As with non-renewable tickets, the value in the End Time field equals the value in the Start Time field plus the value of the maximum ticket life specified by Kerberos policy. A client holding a renewable ticket must send it—presenting a fresh authenticator as well—to the KDC for renewal before the end time is reached. When the KDC receives a ticket for renewal, it checks the value of a second expiration time held in the Renew Till field. This value is set when the ticket is first issued. It equals the value in the tickets Start Time field plus the value of the maximum cumulative ticket life specified by Kerberos policy. When the KDC renews the ticket, it checks to determine if the renew-till time has not yet arrived. If it has not, the KDC issues a new instance of the ticket with a later end time and a new session key.

This means that administrators can set Kerberos policy so that tickets must be renewed at relatively short intervals—every day, for example. When tickets are renewed, a new session key is issued, minimizing the value of a compromised key. Administrators can also set cumulative ticket life for a relatively long period—one week or one month, for example. At the end of that time, the ticket expires and is no longer valid for renewal.

The Authenticator

Whenever a client sends a ticket to a target server—whether the server is the TGS or some other network server or resource—the client also includes an authenticator in the message. The authenticator verifies that the client listed as the sender in the ticket really is the ticket's source.

Why is an authenticator necessary?

The target server can trust the contents of the ticket because the ticket is encrypted with the target server's secret key. However, the target server cannot trust that the ticket was really sent by the client specified in the ticket. The ticket could have been stolen and is now being included in an imposter's message.

How does the authenticator work?

  • The authenticator is encrypted with the session key created by the KDC to be used between the client and the target server. Only the client and the target server can access the session key.
  • The target server uses its secret key to decrypt the ticket, finds the session key inside the ticket, and uses it to decrypt the authenticator.
  • If the target server can successfully decrypt the authenticator and if the authenticator's data is accurate, then the target server will trust the source of the ticket.

The authenticator's timestamp

The timestamp is perhaps the most important piece of data in the authenticator. A domain's Kerberos policy and policies established by applications typically require that the timestamp be within minutes of the time on the target server. Otherwise, the authenticator and the ticket will be rejected. This helps prevent message replay.

Although no authenticator is included in the initial authentication service request message (explained later in this document), the message does include the client's timestamp in the pre-authentication field.

What is in an authenticator?

The following table lists and describes authenticator fields. The exact data structures for authenticators as well as messages can be found in RFC 1510.

Authenticator Fields

 

Field Description

Checksum

A checksum of the data from the ticket-granting service request (KRB_TGS_REQ) or application server request (KRB_AP_REQ) message that the authenticator was a part of. This helps validate that the message sender was really the client.

Subkey

In a KRB_AP_REQ, this field specifies a subkey that the target server and the client will use to encrypt further communications, instead of using the TGS-supplied session key.

Sequence Number

An optional field that could be used to prevent replays. This sequence number might be based on the client nonce, for example.

Authorization Data

This optional field can include authorization data for specific applications. This is not the same as the Authorization Data field that carries the user's privilege attribute certificate (PAC).

Credentials Cache

On computers running Windows 2000, Windows XP, or Windows Server 2003, tickets and keys obtained from the KDC are stored in a credentials cache, an area of volatile memory protected by the LSA. The credentials cache is never paged to disk. All objects stored there are destroyed when a security principal logs off or when the system is shut down.

The credentials cache is managed by the Kerberos SSP, which runs in the LSA's security context. Whenever tickets and keys need to be obtained or renewed, the LSA calls the Kerberos SSP to accomplish the task.

Note

  • In Windows XP and Windows 2000 with Service Pack 2 or later, TGT renewal is triggered when the TGT is used within 5 minutes of its expiration.
  • In Windows Server 2003, periodically the system will automatically renew expiring TGTs.

The LSA also keeps a copy of an interactive user's hashed password. If the user's TGT expires during a logon session, the Kerberos SSP uses the LSA's copy of the hashed password to obtain a new TGT without interrupting the user's logon session. The password is not stored permanently on the computer, and the local copy of the hashed password is destroyed when the user's logon session is destroyed.

Hashed passwords for services and computers are handled differently than above. As in Windows NT, hashed passwords are stored in a secure area of the computer's registry. The registry is also used to store hashed passwords for user accounts on the local system, but local accounts are used only for access to computers in standalone mode, never for network access.

Key Distribution Center

The Key Distribution Center (KDC) is a service that runs on a physically secure server. The KDC maintains a database with account information for all security principals in its realm (the Kerberos equivalent of a Windows Server 2003 domain). Along with other information about each security principal, the KDC stores a cryptographic key known only to the security principal and the KDC. This key—also called the long-term key—is used in exchanges between the security principal and the KDC. In most implementations of the protocol, the long-term key is derived from a user's logon password.

As in other implementations of the Kerberos protocol, Microsoft implements the KDC as a single process that provides two services:

Authentication service (AS)

The AS issues TGTs good for admission to the ticket-granting service in its domain. Before network clients can get tickets for services, each client must get an initial TGT from the authentication service in the user's account domain.

Ticket-granting service (TGS)

The TGS issues tickets good for admission to other services in the TGS's domain or to the ticket-granting service of a trusted domain. When a client wants access to a service, it must contact the ticket-granting service in the service's account domain, present a TGT, and ask for a ticket. If the client does not have a TGT valid for admission to that ticket-granting service, it must get one through a referral process that begins at the ticket-granting service in the user account's domain and ends at the ticket-granting service in the service account's domain.

Windows Server 2003 implements the Key Distribution Center (KDC) as a domain service. It uses the domain's Active Directory as its account database and gets some information about users from the global catalog.

The KDC is located on every domain controller, as is the Active Directory directory service. Both services are started automatically by the domain controller's Local Security Authority (LSA) and run in the process space of the LSA. Neither service can be stopped. Windows Server 2003 ensures availability of these services by allowing each domain to have several domain controllers, all peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain's KDC.

The security principal name used by the KDC for an Active Directory domain is krbtgt, as specified by RFC 1510. An account for this security principal is created automatically when a new domain is created. The account cannot be deleted, nor can the name be changed.

A password is automatically assigned to the krbtgt account. The password for the krbtgt account is used to derive a secret key for encrypting and decrypting the TGTs that the KDC issues. Passwords for domain trusts are either automatically assigned or provided when the trust is established. The password for a domain trust is used to derive an inter-realm key for encrypting referral tickets. (Referral tickets are discussed later in this document.) Although passwords for domain trusts are changed automatically, passwords for trusts with non-Windows realms and the krbtgt accounts must be changed either manually or through a script.

All instances of the KDC within a domain use the domain account for the security principal krbtgt. A client addresses messages to a domain's KDC by including both the service's security principal name, krbtgt, and the name of the domain. Both items of information are also used in tickets to identify the issuing authority. For information about name forms and addressing conventions, see RFC 1510 in the IETF RFC Database.

Session Key Distribution: the Session Key

If each client were to need a unique key for every service, and if each service were to need a unique key for every client, key distribution could quickly become a tough problem to solve. Furthermore, the need to store and protect so many keys on so many computers would present an enormous security risk. Hypothetically, a network of n accounts would require n(n-1)/2 keys, where n is an integer greater than 1. Thus, a network of only 10 users, services, and systems would need 45 keys; a network of 100 accounts would need 4,950 keys. Every new user, service, or system would generate a new key pair for each interaction.

The name of the Kerberos protocol suggests how it solves the problem of key distribution. Kerberos (Cerberus), in Greek mythology, was the fierce, three-headed dog that guarded the gates of the Underworld. The Kerberos protocol—like Kerberos the guard—has three heads: a client, a server, and a trusted third party to mediate between the other two. The trusted intermediary in the protocol is the Key Distribution Center (KDC).

When a client wants to connect to a server, the client sends a request to the KDC, and the KDC distributes a unique, short-term session key for the two parties to use when they authenticate each other. The server's copy of the session key is encrypted in the server's long-term key. The client's copy of the session key is encrypted in the client's long-term key.

KDC Configuration

RFC 1510 recommends the following values for KDC configuration:

KDC configuration

 

Configuration Element RFC 1510 Recommendation Active Directory Domain Default Setting

Maximum ticket lifetime

One day

600 minutes (10 hours)

Maximum renewable lifetime

One week

Seven days

Empty addresses

Only when suitable restrictions appear in authorization data

Support empty addresses

For more information about Kerberos policy settings, see Account Policy Settings.

For more information about KDC configuration, see RFC 1510 in the IETF RFC Database.

Pre-authentication

By default, the KDC requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

Active Directory as a KDC account database

The account database that the KDC needs in order to obtain information about security principals is provided in Windows Server 2003 by the domain's Active Directory. Each principal is represented by an account object. The encryption key used in communicating with a user, computer, or service is stored as an attribute of that security principal's account object.

Only domain controllers are Active Directory servers. Because each domain controller keeps a writeable copy of the directory, you can create accounts, reset passwords, and modify group membership at any domain controller. Changes made to one replica of the directory are automatically propagated to all other replicas. Windows 2000 and Windows Server 2003 do not, however, implement the Kerberos replication protocol. Instead, the systems replicate the information store for Active Directory using a proprietary multi-master replication protocol over a secure channel between replication partners.

Physical storage of account data is managed by the Directory System Agent (DSA), a protected process integrated with the LSA on the domain controller. Clients of the directory service are never given direct access to the data store. Any client wanting access to directory information must use one of the supported Active Directory Service Interfaces (ADSI) to connect to the DSA and then search for, read, and write directory objects and their attributes.

Requests to access an object or attribute in the directory are subject to validation by Windows 2000 or Windows Server 2003 access control mechanisms. Like file and folder objects in the NTFS file system, objects in Active Directory are protected by Access Control Lists (ACLs) that specify who can access the object and in what way. Unlike files and folders, however, Active Directory objects have an ACL for each of their attributes. Thus, attributes for sensitive account information can be protected by more restrictive permissions than those granted for other attributes of the account.

The most sensitive information about an account is, of course, its password. Although an account object's password attribute stores an encryption key derived from a password, not the password itself, this key could be just as useful to an intruder. Therefore, access to an account object's password attribute is granted only to the account holder, never to anyone else, not even administrators. Only processes with Trusted Computer Base privilege—processes running in the security context of the LSA—are allowed to read or change password information.

In order to hinder an offline attack by someone with access to a domain controller's backup tape, an account object's password attribute is further protected by a second encryption using a system key. Administrators are given the option to choose where the system key is stored and which of several algorithms is used to encrypt password attributes. You can store the system key on removable media so that it can be safeguarded separately, or store it—protected by a dispersal mechanism—on the domain controller.

Service Principal Names

SPNs can only be registered by a domain administrator, with one exception—a system account can register an SPN for its computer account.

In Windows 2000, SPNs were canonicalized to the SAM account name—for example, Server1, Server1$. This caused issues when clients requested tickets for a service with a non-canonical name. The system was unable to detect the existing cached service ticket and would request a new service ticket for the service. In Windows Server 2003, on the other hand, the SPN requested is used without canonicalization.

SPNs are unique identifiers for services running on servers. Every service that will use Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, then clients will have no way of locating that service. Without properly set SPNs, Kerberos authentication is not possible.

An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service's SPN to differentiate it from all of the other services running on that computer.

This is why SPNs are so crucial to constrained delegation (discussed later). When you set up a computer for delegation, one step of the process is to list the services on other computers that the computer is allowed to delegate to. This list forms a type of ACL. The services running on the other computers are identified by the SPNs that are issued to those services.

Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only."

In general, SPNs should be set at the time of account creation. Setting an SPN on an account is as important—from a security standpoint—as creating that account. Special accounts that were created for services are useless until an SPN is set on those accounts for whatever service will be running under them.

The following table lists, in alphabetical order, the built-in SPNs that are recognized for computer accounts.

Built-in SPNs Recognized for Computer Accounts

 

SPN SPN SPN SPN

alerter

http

policyagent

scm

appmgmt

ias

protectedstorage

seclogon

browser

iisad

rasman

snmp

cifs

min

remoteaccess

spooler

cisvc

messenger

replicator

tapisrv

clipsrv

msiserver

rpc

time

dcom

mcsvc

rpclocator

trksvr

dhcp

netdde

rpcss

trkwks

dmserver

netddedsm

rsvp

ups

dns

netlogon

samss

w3svc

dnscache

netman

scardsvr

wins

eventlog

nmagent

scesrv

www

eventsystem

oakley

schedule

 

fax

plugplay

 

 

These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs.

Requirements for setting an SPN

Because multiple services can run simultaneously under the same account, setting an SPN requires four unique pieces of information. These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.

For each SPN that is set, the following information is required:

  • The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.
  • The account under which the service is running.
  • The computer on which the service is running, including any aliases that point to that computer.
  • The port on which the service is running (optional if the default port for the service of that type is used such as port 80 for HTTP).

The syntax of an SPN itself is service/hostname:port, where:

  • Service is the service class of the SPN.
  • Hostname is the computer to which the SPN belongs.
  • Port is the port on which the service that the SPN is registered to runs.

KDC key version numbers

Users can change their passwords, and therefore their keys, at any time. This poses a problem for all existing credentials that are encrypted with the older key, because the credentials would no longer be usable if the user expected to use the new key. Although this is merely inconvenient to users—who can simply get new tickets—long-running services such as batch jobs would be interrupted if there was no one available to get a new ticket with the new key for the job. To address this problem, clients keep a copy of their older key for a period of time after switching to a new password.

When parties exchange encrypted communications, they need a way to determine which keys to use to decrypt the data they have received. If there is only one key, this is easy. However, when there are many keys, some of which correspond to the same account—such as when passwords are changed—then this task becomes difficult. One way to find the right key is to try all available keys, but this wastes time and computing resources, particularly if the client has many keys to try.

To streamline this process, encrypted data includes a header that has information including a sort of serial number that is associated with the key and the encryption type used to encrypt the data. When a client receives an encrypted communication, it includes information about whose key set to use, as well as which particular key version to use to decrypt the data. This way, even if a ticket is encrypted with an older key, the recipient can still decrypt it by looking at the key version number, finding the correct key version, and decrypting the ticket. Eventually, tickets with outdated keys expire, and the system gradually shifts to using the new key in all cases, creating no problems for the user.

New to Windows Server 2003 is the read-only attribute ms-DS-KeyVersionNumber. When a password is changed, the key version number is incremented and the current value can be queried using ms-DS-KeyVersionNumber. Windows 2000 KDCs will always issue tickets with a key version number equal to 1. Windows Server 2003 KDCs only keep track of the latest key version number for a principal account because there is no reason for the KDC to use outdated keys.

Key version numbers also enable Windows Server 2003 to provide more informative errors when a message cannot be decrypted. In general cases, when information can not be decrypted, the system provides the error KRB_AP_ERR_MODIFIED, meaning that the encrypted information is not accessible, but with no further information. For example, the data could have been modified in transit, the data could have been malformed initially, or there could be no available key. Each of these possible causes requires troubleshooting at different locations and using different techniques.

On the other hand, using key version numbers can enable the system to communicate the source of the failure. For example, if the client has no key to match the key version number included in the header, the system responds with the error KRB_AP_ERR_BADKEYVER. This error message specifically informs the client that the appropriate key version is not available. The client can then resolve the failure by resetting the password, which resets the keys.

The key version number is generated each time a password is changed on long-lived keys—such as the key that results from a user password, the keys for computer accounts, or the keys for domain trusts. Key version numbers also are provided because they are required for compliance with the Kerberos RFC (1510).

Key version numbers are constructed from the update logon timestamp attribute which is updated in the SAM when a password is changed. The update logon timestamp is a 32-bit value that identifies the version of the keys generated from the password. Key version number functionality based on update logon timestamps is only available in domains that have Windows Server 2003 domain functionality.

Kerberos Realms and Active Directory Domains

With the release of Windows 2000, Active Directory domains became the implementation of Kerberos realms.

The RFC 1510 describes Kerberos realms and their organization as follows:

"The Kerberos protocol is designed to operate across organizational boundaries. A client in one organization can be authenticated to a server in another. Each organization wishing to run a Kerberos server establishes its own 'realm.'"

"Realms are typically organized hierarchically. Each realm shares a key with its parent and a different key with each child. If an inter-realm key is not directly shared by two realms, the hierarchical organization enables an authentication path to be easily constructed. If a hierarchical organization is not used, it might be necessary to consult some database in order to construct an authentication path between realms."

"Although realms are typically hierarchical, intermediate realms might be bypassed to achieve cross-realm authentication through alternative authentication paths (these might be established to make communication between two realms more efficient). It is important for the end-service to have information about which realms were transited when deciding how much faith to place in the authentication process. To facilitate this decision, a field in each ticket contains the names of the realms that were involved in authenticating the client."

It is clear from the RFC's discussion that the concept of Kerberos realms has similarities—such as organizational boundaries and trusts—to attributes of the Windows NT domains. Active Directory domains use inter-realm-key-based trusts and a hierarchical design. These inter-realm (also called inter-domain) keys are the basis of transitive trust in Active Directory domains.

Note

  • In literature documenting Windows operating systems, the term "domains" might be used in place of place of the term "realms." In such cases, the term "realms" will be used to denote non-Windows Kerberos realms in the environment.

In Kerberos authentication, Active Directory domains fulfill all the requirements of Kerberos realms.

Kerberos Processes and Interactions

This subsection will cover the following topics:

  • Kerberos V5 exchange and message summary
  • Windows Server 2003–based examples:
    • Local logon
    • Domain logon
    • Single domain authentication
    • Simple cross-domain authentication
    • Cross-realm authentication and shortcut trusts
    • Untrusted domain
    • Delegation
  • Kerberos V5 message details:
    • Authentication service exchange
    • Ticket-granting service exchange
    • Client/server authentication exchange
    • Credentials message
  • Required technologies for Active Directory domains:
    • Kerberos and IP transport: UDP/TCP
    • DNS name resolution

Kerberos V5 Exchange and Message Summary

The RFC standard Kerberos version 5 authentication protocol communication sequences consist of six (five required and one optional) messages. These messages compose three types of exchanges (also known as sub-protocols), which are examined more closely later in this section.

Kerberos Exchange and Message Summary

Kerberos Exchange and Message Summary

The Authentication Service Exchange

1. Kerberos authentication service request (KRB_AS_REQ)

The client contacts the Key Distribution Center's authentication service for a short-lived ticket (a message containing the client's identity and—for Windows clients—SIDs) called a ticket-granting ticket (TGT). This happens at logon.

2. Kerberos authentication service response (KRB_AS_REP)

The authentication service (AS) constructs the TGT and creates a session key the client can use to encrypt communication with the ticket-granting service (TGS). The TGT has a limited lifetime. At the point that the client has received the TGT, the client has not been granted access to any resources, even to resources on the local computer.

Why use a TGT? Could the AS simply issue a ticket for the target server? Yes, but if the AS issued tickets directly, the user would have to enter a password for every new server/service connection. Issuing a TGT with a short lifespan (typically 10 hours) gives the user a valid ticket for the ticket-granting service, which in turn issues target-server tickets. The TGT's main benefit is that the user only has to enter a password once, at logon.

The Ticket-Granting Service Exchange

3. Kerberos ticket-granting service request (KRB_TGS_REQ)

The client wants access to local and network resources. To gain access, the client sends a request to the TGS for a ticket for the local computer or some network server or service. This ticket is referred to as the service ticket or service ticket. To get the ticket, the client presents the TGT, an authenticator, and the name of the target server (the Server Principal Name or SPN).

4. Kerberos ticket-granting service response (KRB_TGS_REP)

The TGS examines the TGT and the authenticator. If these are acceptable, the TGS creates a service ticket. The client's identity is taken from the TGT and copied to the service ticket. Then the ticket is sent to the client.

Note

  • The TGS cannot determine if the user will be able to get access to the target server. It simply returns a valid ticket. Authentication does not imply authorization.

The Client/Server Exchange

5. Kerberos application server request (KRB_AP_REQ)

After the client has the service ticket, the client sends the ticket and a new authenticator to the target server, requesting access. The server will decrypt the ticket, validate the authenticator, and for Windows services, create an access token for the user based on the SIDs in the ticket.

6. Kerberos application server response (optional) (KRB_AP_REP)

Optionally, the client might request that the target server verify its own identity. This is called mutual authentication. If mutual authentication is requested, the target server will take the client computer's timestamp from the authenticator, encrypt it with the session key the TGS provided for client-target server messages, and send it to the client.

Local Logon Example

Users can log on to computers with either a domain account or an account local to the computer. When the user logs on with an account local to the computer, the user's credentials are authenticated using the local account database. Because the local computer does not act as a KDC, and because local logon does not require network access (for example, to contact a KDC), local authentication uses NTLM to authenticate the account.

Local Logon Sequence

Local Logon Sequence
  1. After the Graphical Identification and Authentication (GINA) dynamic-link library has collected the user's logon information, it passes that information to the LSA for authentication.
  2. The LSA simply passes the information on to the SSPI.
  3. The SSPI does not determine whether the user is logging on locally or through a domain account. Because the Kerberos SSP is the default authentication provider, the authentication request is first passed to the Kerberos SSP.
  4. The Kerberos SSP verifies that the logon target name is the same as the local computer name. If so, the Kerberos SSP returns an error message to the SSPI that no logon servers are available, just as if it had checked the network for a KDC and found none.
  5. The SSPI now sends the request to the next security provider, NTLM. The authentication process used by the NTLM SSP is identical to versions used in Windows NT.

Domain Logon Example

If the user is a member of a domain, then the account database is on a domain controller. If you are logging on to one of the domain controllers for the domain you belong to, then the process it the same as for local logon as described above. If instead you are logging on to a member server or a domain controller of another domain, then Kerberos authentication will used if possible.

Users never directly access the system. The system impersonates the user and accesses resources based on the resource permissions granted to the user. This is a standard security feature of all versions of Windows NT, Windows 2000, and Windows Server 2003. The user logging on to a workstation never directly accesses even local resources. The local system impersonates the user just as a remote system would.

Because the local system relies on impersonation, the user who logs on to the domain must be authenticated as a valid local user. The only new component added to the domain logon process is Kerberos authentication prior to building an access token.

The authentication process for a domain user to access their computer is very similar to the process used to authenticate access to network resources—that is, the user must obtain a valid ticket for the local workstation.

  • The Kerberos client requests and then receives a TGT from the KDC.
  • The Kerberos client uses the TGT to request and then receive a service ticket for the local workstation from the KDC.
  • The service ticket for a network resource would be encrypted with the system or service key depending on whether the resource is a system or service. The workstation has a system key created when the computer joined the domain. The service ticket for the workstation is encrypted with this key.
  • The local LSA builds an access token from the credentials contained in the service ticket and then grants or denies the user access.

How Logging on the Workstation Works

Suppose the user has a network account in the domain tailspintoys.com. The user's workstation also belongs to tailspintoys.com. The user logs on to the network by pressing CTRL+ALT+DEL, which is the Secure Attention Sequence (SAS) on computers with a standard Windows configuration.

In response to the SAS, the workstation's Winlogon service switches to the logon desktop and calls the GINA DLL, a component loaded in Winlogon's process. The GINA is responsible for collecting logon data from the user, packaging it in a data structure, and sending everything to the LSA for verification. Other parties can develop replacement GINAs, but in this case Winlogon has loaded the standard component supplied with the operating system, MSGINA.DLL. Winlogon calls it, and the GINA displays the standard logon information dialog box.

The user types a user name and password. From the domains in a drop-down list, the user selects tailspintoys.com. When the user clicks OK to dismiss the dialog box, MSGINA returns the logon information to Winlogon. Winlogon sends the information to the LSA for validation by calling LsaLogonUser. This procedure is standard for any user logon regardless of the authentication method used.

At this point, the LSA begins to use the Kerberos V5 authentication protocol.

Kerberos Keys

Kerberos Keys

A user key is derived from a password. After it receives a data structure with the user's logon data, the LSA converts the plaintext password to a cryptographic key by passing the text of the password through a cryptographic function. (All implementations of the Kerberos version 5 authentication protocol must support DES-CBC-MD5. Other algorithms are permissible.) The result of the cryptographic function is the user key.

The LSA saves the user key in the user credentials cache, where it can be retrieved when needed for TGT renewal or for NTLM authentication to servers that are not capable of Kerberos authentication.

In order to validate the user's logon information and set up the user's logon session on the computer, the LSA must obtain:

  • A TGT good for admission to the ticket-granting service.
  • A service ticket good for admission to the computer.

The LSA obtains these tickets by working through the Kerberos SSP, which exchanges messages directly with the KDC in tailspintoys.com. (The workstation has located a KDC through a DNS query. Every domain controller is a KDC and registers its role with DNS.)

The TGT is obtained in an authentication service (AS) exchange; the service ticket is obtained in a ticket-granting service (TGS) exchange.

Obtaining a TGT in the authentication service exchange

Message 1: Authentication Service Request

Message 1: Authentication Service Request

The Kerberos client on the workstation sends the message KRB_AS_REQ to the KDC in tailspintoys.com.

The message includes:

  • The user principal name.
  • The name of the account domain.
  • Pre-authentication data encrypted with the user's key derived from the user's password.

Retrieving the user key

The KDC gets its copy of the user key from the user's record in its account database. When it receives a request from the Kerberos client on the user's workstation, the KDC searches its database for the user, pulls up the account record, and takes the user key from a field in the record.

This process—computing one copy of the key from a password, fetching another copy of the key from a database—actually takes place only once, when a user initially logs on to the network. Immediately after accepting the user's password and deriving the user's long-term key, the Kerberos client on the workstation requests a service ticket and TGS session key that it can use in subsequent transactions with the KDC during this logon session.

Verifying the user's identity

The KDC decrypts the pre-authentication data and evaluates the timestamp inside. If the timestamp passes the test, the KDC can be assured that the pre-authentication data was encrypted with the user key and thus verify that the user is genuine.

After it has verified the user's identity, the KDC creates credentials that the Kerberos client on the workstation can present to the ticket-granting service. For more information about how domain controllers create credentials in a Windows environment, see "How Access Tokens Work" in the Access Tokens Technical Reference.

Message 2: Authentication Service Reply

Message 2: Authentication Service Reply

The KDC replies with KRB_AS_REP containing a service ticket for itself. This special service ticket is called a ticket-granting ticket (TGT). Like an ordinary service ticket, a TGT contains a copy of the session key that the service (in this case the KDC) will use in communicating with the user. The message that returns the TGT to the user also includes a copy of the session key that the user can use in communicating with the KDC. The TGT is encrypted in the KDC's long-term key. The user's copy of the session key is encrypted in the user's long-term key.

KRB_AS_REP Message Contents

KRB_AS_REP Message Contents

The message includes:

  • A TGS session key for the user to use with the TGS, encrypted with the user key derived from the user's password.
  • A TGT for the KDC in tailspintoys.com, encrypted with the TGS key.
    The TGT includes:
    • A TGS session key for the KDC to use with the user.
    • Authorization data for the user.
    The authorization data includes:
    • The SID for the user's account.
    • SIDs for security groups which the user is a member of in the domain tailspintoys.com.
    • SIDs for universal groups in the enterprise that include either the user or one of the domain groups the user is a member of.

When the client receives the KDC's reply to its initial request, the client uses its cached copy of the user key to decrypt its copy of the session key. It can then discard the user key derived from the user's password, for it is no longer needed. In all subsequent exchanges with the KDC, the client uses the TGS session key. Like any other session key, this key is temporary, valid only until the TGT expires or the user logs off. For that reason, the TGS session key is often called a logon session key.

From the client's point of view, a TGT is just another ticket. Before the client attempts to connect to any service, the client first checks the user credentials cache for a service ticket to that service. If it does not have one, it checks the cache again for a TGT. If it finds a TGT, the LSA fetches the corresponding logon session key from the cache, uses this key to prepare an authenticator, and sends both the authenticator and the TGT to the KDC, along with a request for a service ticket for the service. In other words, gaining admission to the KDC is no different from gaining admission to any other service in the domain—it requires a session key, an authenticator, and a ticket (in this case, a TGT).

From the KDC's point of view, TGTs enable the KDC to avoid the performance penalties of looking up a user's long term key every time the user requests a service. The KDC looks up the user key only once, when it grants an initial TGT. For all other exchanges with this user, the KDC can decrypt the TGT with its own long-term key, extract the logon session key, and use that to validate the user's authenticator.

Obtaining a service ticket in the ticket-granting service exchange

Message 3: Ticket-Granting Service Request

Message 3: Ticket-Granting Service Request

The Kerberos client sends the message KRB_TGS_REQ to the KDC in tailspintoys.com.

The message includes:

  • The name of the target computer.
  • The name of the target computer's domain.
  • The user's TGT.
  • An authenticator encrypted with the session key the user shares with the KDC.

Message 4: Ticket-Granting Service Reply

Message 4: Ticket-Granting Service Reply

The KDC responds to the user's request to connect to a server by sending both copies of the session key to the user. The user's copy of the session key is encrypted with the key that the KDC shares with the user. The workstation's copy of the session key is embedded, along with information about the user, in a data structure called a service ticket. The entire structure is then encrypted with the key that the KDC shares with the user. The ticket—with the user's copy of the session key safely inside—becomes the workstation's responsibility to manage.

KRB_TGS_REP Message Contents

KRB_TGS_REP Message Contents

The KRB_TGS_REP message includes:

  • A session key for the user to share with the computer encrypted with the session key the user shares with the KDC.
  • The user's service ticket to the computer, encrypted with the computer's secret key.
    The service ticket includes:
    • A session key for the computer to share with the user.
    • Authorization data copied from the user's TGT.

When the Kerberos client receives the KDC's reply, it extracts the ticket and the user's copy of the session key, putting both in the user credentials cache (located in volatile memory, not on disk).

Note

  • The KDC is simply providing a ticket-granting service. It does not keep track of its messages to make sure they reach the intended address. No harm will be done if the KDC's messages fall into the wrong hands. Only someone who knows the user's secret key can decrypt the user's copy of the session key. Only someone who knows the client's secret key can read what is inside the ticket.

Getting the User's Credentials to Winlogon

Getting the User's Credentials to Winlogon

After credentials reach the workstation, the Windows Server 2003 access token creation process is the same as that of Windows NT versions. The LSA on the workstation receives the user's service ticket, decrypts the service ticket with the system key stored in its credentials cache, and then extracts the authorization data. The privilege attribute certificate (PAC) is taken from the service ticket and used to create the user's access token. The LSA then queries the local SAM database to discover whether the user is a member of any security groups local to the computer, and whether memberships in those groups grant the user any special rights on the local computer. It adds any SIDs returned by this query to the list taken from the ticket's authorization data. The entire list is then used to build an access token, and a handle to the access token is returned to Winlogon, along with an identifier for the user's logon session and confirmation that the logon information was valid.

Winlogon creates a window station and several desktop objects for the user, attaches the user's access token, and starts the shell process the user will use to interact with the computer. The user's access token is subsequently inherited by any application process that the user starts during the logon session.

When the user logs off, the credentials cache is flushed and all service tickets—as well as all session keys—are destroyed.

Single Domain Authentication Example

The process used to access resources and services on another system works basically the same as the logon example above except that the service ticket will need to be sent to the remote system. Except for the Kerberos authentication, security access checks are nearly identical with those of Windows NT 4.0 and earlier versions.

In the following example, both the user and service are in tailspintoys.com, the user has already logged on, and the user has requested and received a ticket for the workstation. The client wants to access \\server\shared folder to read a file. The process follows this sequence:

  • Client and server negotiate a security package to use for authentication. They choose Kerberos.
  • The client sends the service ticket (containing user credentials in the PAC) to the server.
  • If the server accepts the ticket (that is, is able to decrypt the ticket with its secret key), then the server creates an access token for the user based on the PAC.
  • The client redirector sends a server message block (SMB) message requesting file access.
  • Server security compares file permissions with the user's credentials and grants or denies access.

After Workstation Logon

After Workstation Logon

When the user attempts to use the service on the remote server, the user has already logged on to the local workstation. Thus, the user's credentials cache will have a TGT and a session key for the domain the user's account resides in. This TGT is used to request a ticket for the service.

Message 3: KRB_TGS_REQ

Message 3: KRB_TGS_REQ

Because the TGT will expire within a few hours, the Kerberos client must check the expiration time before requesting additional tickets. If the TGT is expired, then the Kerberos client must send a KRB_AS_REQ to get another TGT.

The Kerberos client on the user's workstation requests credentials for the service by sending the KDC a Kerberos ticket-granting service request (KRB_TGS_REQ). This message includes the user's name, an authenticator encrypted with the user's logon session key, the TGT obtained in the AS exchange from workstation logon, and the name of the service for which the user wants a ticket.

Note

  • The KRB_TGS_REQ message will typically be sent to the same domain controller that issued the TGT. However, TGS requests can be made to any domain controller. Thus, if the original KDC becomes unavailable, the client can discover a new KDC through a DNS query and then send a KRB_TGS_REQ there.

When the KDC receives KRB_TGS_REQ, it decrypts the TGT with its own secret key, extracting the user's TGS session key (logon session key). It uses the session key to decrypt the authenticator and evaluates that. If the authenticator passes the test, the KDC extracts the user's authorization data from the TGT and creates another session key for the client to use with the service. The KDC encrypts one copy of this new session key with the user's TGS session key. It embeds another copy of the session key in a ticket, along with the user's authorization data, and encrypts the ticket with the service's key. The KDC then sends these credentials back to the client in a Kerberos ticket-granting service reply (KRB_TGS_REP).

Message 4: KRB_TGS_REP

Message 4: KRB_TGS_REP

When the Kerberos client receives the reply, it uses the user's TGS session key to decrypt the session key to use with the service, and stores the key in its credentials cache. Then it extracts the ticket to the service and stores that in its cache.

Message 5: Kerberos Application Request (KRB_AP_REQ)

Message 5: KRB_AP_REQ

The Kerberos client on the user's workstation requests service from the service by sending the service a Kerberos application request (KRB_AP_REQ).

KRB_AP_REQ Message Contents

KRB_AP_REQ Message Contents

This message contains:

  • An application option flag indicating whether to use session key. (The setting of this flag is one of the options in configuring Kerberos applications. The user is never asked.)
  • An application option flag indicating whether the client wants mutual authentication.
  • The service ticket obtained in the TGS exchange.
  • An authenticator encrypted with the session key for the service.

Message 6: KRB_AP_REP (Optional)

Message 6: KRB_AP_REP (Optional)

The service receives KRB_AP_REQ, decrypts the ticket, and extracts the user's authorization data and the session key. The service uses the session key to decrypt the user's authenticator and then evaluates the timestamp inside. If the authenticator passes the test, the service looks for a mutual authentication flag in the client's request. If the flag is set, the service uses the session key to encrypt the time from the user's authenticator and returns the result in a Kerberos application reply (KRB_AP_REP). If the flag is not set, then no response is needed.

When the client on the user's workstation receives KRB_AP_REP, it decrypts the service's authenticator with the session key it shares with the service and compares the time returned by the service with the time in the client's original authenticator. If the times match, the client knows that the service is genuine.

Building an access token from a Kerberos service ticket

After credentials reach the server, the Windows Server 2003 token creation process is the same as that of earlier Windows versions. After the server authenticates the client using Kerberos authentication, the PAC is taken from the service ticket and used to create the user's access token.

Remote resource authorization

After the service has an access token for the user, it still needs to verify that the user is authorized to do what the user wants to do. Except for the Kerberos authentication, security access checks are nearly identical with those of Windows NT 4.0 and earlier versions:

  1. The client redirector sends an SMB message requesting file access.
  2. Server security compares file permissions with the user's credentials and grants or denies access.
  3. If access is granted, the connection proceeds.

During the connection, the session key can be used to encrypt application data, or the client and server can share another key for this purpose.

Simple Cross-Realm Authentication and Examples

The functions of the KDC are divided into two distinct services: an authentication service whose job is to issue TGTs, and a ticket-granting service whose job is to issue service tickets. This division of labor enables the Kerberos protocol to operate across domain boundaries. A client can get a TGT from the authentication service of one domain and use it to get service tickets from the ticket-granting service of another domain.

The Basic TGS Referral Process

Clients typically need to request access to services outside of a single Kerberos realm. Whether in a pure Active Directory forest or in a mixed Kerberos environment, the referral process is the same. When a client requests a service ticket for a server in a remote Kerberos realm, the request is sent to the KDC in the client account's realm. The KDC determines that the server is in another realm, so it cannot issue a service ticket. This can only be done by a KDC in the target server's realm. So, instead of issuing the service ticket, the KDC in the client account's realm issues a TGS referral.

The TGS referral message is a normal KRB_TGS_REP message containing:

  • A TGT for another trusted realm.
  • Information indicating the KRB_TGS_REP is a referral to another TGS.

The client recognizes that the KRB_TGS_REP is a referral message and sends the TGT in a new KRB_TGS_REQ message to the remote realm to get the service ticket it needs.

Cross-Realm Authentication Between Two Realms

Cross-Realm Authentication

To understand how cross-realm authentication works, first consider the simplest case: a network with only two realms, East and West. If administrators for these realms are members of the same organization, or if for some other reason they are willing to treat the other realm's users as their own, they can enable authentication across realm boundaries simply by sharing an inter-realm key. (In Active Directory domains this happens automatically when two domains establish a trust relationship.) After the inter-realm key is shared, the ticket-granting service of each realm is registered as a security principal with the other realm's KDC. As a result, the ticket-granting service in each realm can treat the ticket-granting service in the other realm as just another service, something for which properly authenticated clients can request and receive service tickets.

When a user with an account in West wants access to a server with an account in East, the process is:

  1. The Kerberos client on the user's workstation sends a request for a service ticket to the ticket-granting service in the user account's realm, West.
  2. The ticket-granting service in West determines that the desired server is not a security principal in its realm, so it replies by sending the client a referral ticket—a TGT encrypted with the inter-realm key that the KDC in West shares with the KDC in East.
  3. The client uses the referral ticket to prepare a second request for a service ticket, and this time sends the request to the ticket-granting service in the server account's realm, East.
  4. The ticket-granting service in East uses its copy of the inter-realm key to decrypt the referral ticket. If decryption is successful, it sends the client a service ticket to the desired server in its domain.

Three-Realm Referral Example

The referral process is more complicated on networks with more than two realms. In theory, the KDC in each realm could establish a direct link to the KDC in every other realm on the network, in each case sharing a different inter-realm key. In practice, however, the number and complexity of these relationships could become unmanageable, especially on a large network. The Kerberos protocol solves the problem by making direct links unnecessary. A client in one realm can get a ticket to a server in another realm by traveling a referral path through one or more intermediate realms.

Three-Realm Referral

Three-Realm Referral

For example, consider a network with three realms, east.tailspintoys.com, west.tailspintoys.com, and tailspintoys.com. The KDC in east.tailspintoys.com does not share an inter-realm key with the KDC in west.tailspintoys.com, but both KDCs do share inter-realm keys with tailspintoys.com. In this case, when a user with an account in west.tailspintoys.com wants access to a server with an account in east.tailspintoys.com, the referral path begins at the KDC for the user account's realm, west.tailspintoys.com, passes through an intermediate realm, tailspintoys.com, and ends at the KDC for the server account's realm, east.tailspintoys.com. The client must send its request for a service ticket three times, to three different KDCs. The three TGS exchanges are:

  1. The client requests the KDC for west.tailspintoys.com to give it a ticket to the server in east.tailspintoys.com.
    The KDC for west.tailspintoys.com replies by sending the client a referral ticket to the KDC for tailspintoys.c