If the policy for the Kerberos realm allows proxy tickets, then the KDC sets the proxiable flag in the TGT it sends to the client. When the client requests a ticket for server two, it sets the flag stating that it wants a proxy ticket and includes the name of server one, which is the server that will act on behalf of the client. The KDC generates the ticket for server two, sets the proxy flag, and sends it to the client. The client then sends the ticket to server one, which uses the ticket to access server two on behalf of the client. Figure 3.5 shows the process for proxy tickets.
Figure 3.5 These are the steps used for proxy tickets.
If the client does not know the name of server two, it cannot request a proxy ticket. This is where forwarded tickets are used. Forwarded tickets operate on the principle that the client gives server one a TGT that it can use to request tickets for other servers when necessary. The client requests a forwardable TGT from the KDC
notifying the KDC the name of the server, in this case server one, that is authorized to act on behalf of the client. The KDC generates the forwardable TGT for server one and sends it back to the client. The client then sends the forwardable TGT to server one. When server one wants to contact another server such as server two, it sends the client’s TGT to the KDC. The KDC detects that the TGT is forwardable, so it creates a forwarded ticket for server two and sends the ticket to server one. Server one can then use that ticket to access server two on behalf of the client. Figure 3.6 shows the steps taken for forwarded tickets.
Figure 3.6 These are the steps used for forwarded tickets.
Kerberos and Windows 2000
The Kerberos implementation in Windows 2000 is called Microsoft Kerberos because Microsoft added its own extensions. Microsoft Kerberos only authenticates the identity of the user, it does not authorize access.
After the identity of the user has been verified by Microsoft Kerberos, then the Local Security Authority (LSA) authorizes or denies access to the resource.
For Managers Only
How Microsoft Kerberos Interoperates with Other Kerberos Implementations
A key concern for managers planning on implementing Windows 2000 into their existing networks that utilize Kerberos is the interoperability of the different flavors of Kerberos. Microsoft has tested various scenarios between Microsoft Kerberos and the Massachusetts Institute of Technology (MIT) implementation of Kerberos. Their findings are:
• Clients that are not Windows based can authenticate to a Windows 2000 KDC.
• Windows 2000 systems can authenticate to the KDC in an MIT-based Kerberos realm.
• Windows 2000 client applications can authenticate to Kerberos services running on systems that are not Windows-based as long as the service supports the GSS-API. Windows 2000 uses the Security Support Provider Interface that is compatible with the GSS-API.
http://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-06.html (2 of 3) [8/3/2000 6:51:59 AM]
Configuring Windows 2000 Server Security:Kerberos Server Authentication
• Client applications on Kerberos systems that do not use Windows can authenticate to services on Windows 2000 systems as long as the client application supports the GSS-API.
• Windows 2000 domains can trust MIT-based Kerberos realms, and MIT-based Kerberos realms can trust Windows 2000 domains when everything is configured appropriately.
Previous Table of Contents Next
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights
reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement.
http://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-06.html (3 of 3) [8/3/2000 6:51:59 AM]
Configuring Windows 2000 Server Security:Kerberos Server Authentication




Configuring Windows 2000 Server Security
by Thomas W. Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT, D. Lynn White, MCSE, MCPS, MCP+I, MCT
Syngress Publishing, Inc.


ISBN: 1928994024 Pub Date: 06/01/99

Search this book:
Search Tips
Advanced Search

Previous Table of Contents Next


Title
Key Distribution Center

The KDC is integral to the operation of Kerberos, and Windows 2000 implements the KDC as a domain service, as shown in Figure 3.7. The KDC uses Active Directory as the source of its account database (see Chapter 4).

• PomodliÅ‚em siÄ™ do każdego boga jaki istniaÅ‚ bym byÅ‚ w wstanie wkurzyć tÄ™ kobietÄ™ do granic możliwoÅ›ci.
• 3 QUICKPANEL CE CONTROL/VIEW Panele operatorskie Quickpanel CE Control/View programuje siÄ™ za pomocÄ… moduÅ‚u View Standard Edition, który jest...
• Mathematical terms, exercises Mathematical terms The four fundamental operations of arithmetic Exercises: 25 + 75 = 100...
• telekomunikacyjnych i urz¹dzeñ telekomunikacyjnych, dotycz¹ce ichprzystosowania do wype³niania przez operatorów obowi¹zku, o którym mowa wart...
• • You can apply string comparison operations to cell arrays of strings...
• item String specifying the server application's DDE item name for the data requested...
• The remote routers are configured for snapshot routing by applying the snapshot client command to each ISDN interface...
• Rapaille writes, “Even the most self-examining of us are rarely in close contact with our subconscious...
• Server Font A Server Font is a font resource located on the web server that is referenced by the WebFont definition...
• washing area 25 made of contactors (operating rate and buildings for collective use offices 20 also utilisation categories of loads...
•  PociÄ…g wjechaÅ‚ na dworzec taborski, a Szwejk, zanim w towarzystwie konduktora wysiadÅ‚ z pociÄ…gu, zameldowaÅ‚ siÄ™, jak przystaÅ‚o, u porucznika...

	Proxy tickets operate on the priniciple that the client knows the name of the second server that will be contacted...	Pomodliłem się do każdego boga jaki istniał bym był w wstanie wkurzyć tę kobietę do granic możliwości.