🔐

Kerberos V5 Overview and Benefits

Jun 20, 2025

Overview

This lecture covers the Kerberos V5 authentication protocol, its benefits, components, dependencies, and its implementation in Windows Server 2003.

Introduction to Kerberos Authentication

  • Kerberos V5 provides secure mutual authentication between clients and servers.
  • Implemented in Windows Server 2003 as a Security Support Provider (SSP).
  • Uses Active Directory as its account database and is accessed through the Security Support Provider Interface (SSPI).

Benefits and Features of Kerberos

  • More secure, flexible, and efficient than NTLM authentication.
  • Enables services to impersonate clients across multiple systems, unlike NTLM.
  • Supports renewable session tickets for seamless logon sessions.
  • Allows mutual authentication: servers and clients verify each other's identity.
  • Supports public key extensions for smart card logon.

Kerberos V5 Protocol and Standards

  • Adheres to Internet Engineering Task Force (IETF) RFC standards for interoperability.
  • Original protocol developed at MIT, now a widely accepted open standard.
  • Implements standards from RFC 1510 and token mechanisms from RFC 1964.

Kerberos Authentication Process

  • Authenticates user identity, secures user names in tickets, and delivers credentials securely.
  • Relies on symmetric encryption (shared secret keys) and limited asymmetric (public/private keys) for authentication.
  • Uses authenticators with unique timestamps to prevent ticket replay attacks.
  • Only authenticates identity; authorization is handled separately by the Local Security Authority (LSA).

Kerberos Architecture and Components

  • Main components: Kerberos.dll (SSP), Kdcsvc.dll (KDC), Ksecdd.sys (driver), Lsasrv.dll (LSA server), Secur32.dll (SSPI).
  • Kerberos.dll is the preferred authentication method for interactive logon and services.
  • Supports various Windows services: LDAP, RPC, print, file sharing (CIFS/SMB), DFS, IIS, IPSec, and certificate services.

Dependencies and Requirements

  • Requires Active Directory with domain and computer accounts; not compatible with local/NT accounts or Windows NT 4.0.
  • Needs TCP/IP connectivity and functioning DNS for FQDN resolution.
  • Time synchronization across domains is mandatory for correct ticket validation.
  • Service Principal Names (SPNs) must be set for all services using Kerberos to allow client identification.

Key Terms & Definitions

  • Kerberos — A network authentication protocol using tickets and symmetric encryption.
  • SSP (Security Support Provider) — A module allowing authentication protocols in Windows.
  • KDC (Key Distribution Center) — Service providing tickets for authentication.
  • Active Directory — Directory service storing security account information.
  • SPN (Service Principal Name) — Unique identifier for services requiring Kerberos authentication.
  • Authenticator — Unique, one-use structure with timestamps to prevent ticket replay attacks.

Action Items / Next Steps

  • Review documentation on how renewable session tickets work.
  • Ensure network services have properly set SPNs.
  • Verify all systems are synchronized to the same time source.
  • Read referenced RFCs (1510 and 1964) for protocol details if needed.

View note sourcehttps://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx