While Windows IT professionals deal with security on a daily basis, very few understand the under-the-hood protocol, Kerberos. Kerberos is a security protocol in Windows introduced in Windows 2000 to replace the antiquated NTLM used in previous versions of Windows.
Kerberos has several important advantages:
- is very secure, preventing various types of intrusion attacks
- uses “tickets” that can be securely presented by a client or a service on the client’s behalf to a server for access to services
- permits Cross-Forest Trusts to use transitive properties and eliminate the “full mesh” scenario; all domains in both forests establish a trust with a single Kerberos trust at the root
- permits interoperability with other Kerberos realms such as Unix; this permits non-Windows clients to authenticate to Windows domains and gain access to resources
- provides authentication across the Internet for Web apps
Therefore, it’s important to have a good understanding of how the Kerberos protocol works and be familiar with the details of the security functions. This will help with diagnosing a variety of security issues. In addition, IT professionals should understand how Windows Time Service works because Kerberos security is highly dependent on time services.
There are three components to Kerberos: the client, a service and a third-party that both client and service trust. We love the statement made by Fulvio Ricardi in his Kerberos Protocol Tutorial: Kerberos is “… an authentication protocol for trusted clients on untrusted networks.” So, if Kerberos is designed to trust on an untrusted network, it should be even more effective on a trusted corporate network.