MORE INFORMATION
Question
Is the Windows 2000 Kerberos implementation interoperable with
other Kerberos implementations?
Answer
The Windows 2000 implementation of Kerberos was developed based
on the following RFCs:
Kerberos
http://www.ietf.org/rfc/rfc1510.txt?number=1510GSSAPI Kerberos V5 Mechanism
http://www.ietf.org/rfc/rfc1964.txt?number=1964
Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that
interoperability exists for a number of scenarios that are described in the
following Windows 2000 Kerberos Interoperability whitepaper:
Interoperability testing has also occurred with Heimdal,
CyberSafe, IBM and Sun implementations.
The Microsoft Windows 2000
Kerberos implementation is compliant with the following RFCs:
The Microsoft Windows 2000 implementation of Kerberos V5 does not
contain support for Kerberos V4.
Question
How do I setup a cross-realm trust to a Windows 2000 domain?
Answer
The steps are outlined in the Step-by-Step Guide to Kerberos 5
(krb5 1.0) Interoperability:
Question
Does Windows 2000 support Kadmin?
Answer
No, Windows 2000 supports Lightweight Directory Access Protocol
(LDAP) for account administration.
Question
What password changing protocol does Windows 2000 support for
Kerberos clients?
Answer
Windows 2000 implements the Kerberos Change Password protocol as
described in the Internet Draft draft-ietf-cat-kerb-chg-password-02.txt. This
protocol is also implemented in MIT krb5-1.1.1.
Note A copy of the Internet Draft referenced above can be found in the
sample file link at the bottom of this Web page link.
Question
How does Windows 2000 locate the Key Distribution Centers (KDCs)?
Answer
Windows 2000 clients use Domain Name System (DNS) SRV records to
locate domain controllers in a domain, and they attempt to resolve the
_ldap._tcp.dc._msdcs SRV records. Windows 2000 domain controllers also publish
SRV records for _kerberos and _kpasswd services. The list of published SRV
records can be found on a domain controller in the following file:
%Windir%\System32\Config\Netlogon.dns
Question
Does Windows 2000 support General Security Service Application
Programming Interface (GSSAPI) (
RFC-2743)?
Answer
Microsoft supports the Security Support Provider Interface (SSPI)
which is semantically similar to the GSSAPI, but syntactically different. For
additional information about SSPI, see the Microsoft Windows Platform SDK. The
protocol used by Kerberos Security Support Provider (SSP) is the same as that
used by the GSSAPI Kerberos5 mechanism defined in the following RFC:
Question
Does Windows 2000 support Krb5 Application Programming Interfaces
(API)s?
Answer
No. The only Kerberos interfaces that Windows 2000 supports are
through the SSPI and the LsaCallAuthenticationPackage() ticket interfaces
documented in the Windows Platform SDK. The SSPI interfaces are equivalent to
the Kerberos GSSAPI and produce an application that uses the GSSAPI/kerberos5
mechtype (
RFC-1964) on
the wire. The LsaCallAuthentication package interfaces provide a mechanism to
retrieve tickets from the Kerberos ticket cache.
Question
What extensions did Microsoft make to Kerberos?
Answer
Microsoft has implemented the following extensions which are
published as IETF Internet Drafts:
Kerberos Set Password protocol:
Question
What is in the Kerberos ticket authorization data?
Answer
The authorization data in the Kerberos ticket was intended by the
following RFC authors to implement vendor-specific authorization data:
Windows 2000 uses this field to hold data specific to its
distributed security mechanism. This is described in the Windows 2000 Server
Distributed Systems Guide pages 667-669. Information on intended use of the
authorization field is located in the following RFC:
Question
How does Windows 2000 keep system clocks synchronized?
Answer
Windows 2000 clients use the following version of Simple Network
Time Protocol (SNTP):
Time synchronization uses Universal Time Coordinate (UTC) which
is time zone independent. A computer determines its time source by following a
complex algorithm involving sites, domains, PDC FSMO, and Reliable Time
Servers. The time service is controlled by using the
net time
command. The act of joining a domain enables the Windows 2000 Time service so
that it automatically starts at boot. When communicating with Windows 2000
computers, time packets are secured with a signed hash of the time information.
Security is based on the Windows NT secure channel and signature key is
determined by the machine account of the client.
Question
What encryption types does Windows 2000 support?
Answer
Windows 2000 supports the following encryption types:
RC4-HMAC
DES-CBC-CRC
DES-CBC-MD5
Kerberos Encryption Key Lengths:
|
| RC4-HMAC | 128 | 128 | 56 (128 w/ the High
Encryption Pack installed |
| DES-CBC-CRC | 56 | 56 | 56 |
| DES-CBC-MD5 | 56 | 56 | 56 |
Question
How do I find out what Kerberos tickets I have?
Answer
The Kerberos tickets are kept in ticket cache by the LSA, and the
cache is destroyed when the user logs out. Only the logged on user has access
to the tickets in the cache. The Resource Kit utilities Klist.exe or
Kerbtray.exe can be used to examine the tickets in the cache.
Question
Does Windows 2000 support Pkinit?
Answer
Windows 2000 Kerberos provides an implementation of Pkinit draft
version 9. The specific use of Pkinit in Windows 2000 is constrained to
supporting SmartCard logon. Pkinit has not been tested with other
implementations since the release of Windows 2000.
Question
What are the default ticket lifetimes?
Answer
The default ticket lifetimes are controlled at the domain level
by using domain policy. The defaults are:
- MaxServiceTicketAge: 10 hours
- MaxTicketAge: 10 hours
- MaxRenewAge: 7 days
- MaxClockSkew: 5 minutes
Question
What does
Enforce Logon Restrictions mean?
Answer
There is a setting for the Kerberos policy called
Enforce Logon Restrictions. With this setting enabled, every time a user uses a
ticket-granting-ticket (TGT) to request a ticket, the account is checked to see
if it is still valid. That would prevent a disabled account from obtaining new
session tickets.
Question
How do I use delegation?
Answer
Delegation permits a service to act as the user with that user's
access to network resources. This requires the client to forward a user's TGT
to the service so that it can request tickets from a KDC on behalf of the user.
Since the service is able to act as the user, it is important that the service
be trusted before giving it your TGT. Windows 2000 has controls that can limit
when a service provides a user's TGT when delegation is requested.
The Kerberos revisions Internet Draft specifies a new ticket flag - "OK as
delegate". The Windows 2000 KDC sets this flag in service tickets that have the
Trusted for delegation account control flag set. If the
service ticket has the
OK as delegate flag set, then the SSPI
forwards the user's TGT to the service if the SSPI program requested
delegation. If the ticket flag is not set, then the SSPI delegation flag is
ignored and the TGT is not forwarded.
If you are running with a KDC
that does not set the ticket flag, you can set the RealmFlags in the registry
configuration for the external realm to trust the realm for delegation. Setting
the RealmFlags flag to a value of 4 enables this feature.
For
additional information about the RealmFlags registry setting, see the Windows
2000 Registry Reference (Regentry.chm) included in the Windows 2000 Resource
Kit.
Question
Does Windows 2000 support SPNEGO (
RFC-2478)?
Answer
Yes. The Negotiate SSP implements SPNEGO. The Negotiate SSP is
the common default package that most programs use in Windows 2000.
Question
Are Telnet and File Transfer Protocol (FTP) clients in Windows
2000 Kerberized?
Answer
The Telnet and FTP services in Windows 2000 do not use Kerberos
for authentication.
The third-party products that this article discusses are
manufactured by companies that are independent of Microsoft. Microsoft makes no
warranty, implied or otherwise, regarding the performance or reliability of
these products.