[ Pobierz całość w formacie PDF ]
.Windows 2000 Server defaults to-----------using the Kerberos SSP unless the client is not capable of using Kerberos, as is the case with Windows 9x.Inthat case the NTLM SSP is used.The NTLM SSP is also used for Windows 2000 Servers that are configuredas member servers or stand-alone servers and also for logging on a domain controller locally instead of onthe domain.(Figure 3.14 outlines the process used when you log on locally.) The Kerberos SSP is used firstfor authentication because it is the default for Windows 2000.However, if the user is logging on locally, anerror is sent to the Security Support Provider Interface (SSPI), and then the SSPI sends the logon request tothe NTLM SSP.Figure 3.14 This is the logon process for local logons.Credentials CacheThe client uses an area of volatile memory called the credentials cache.This area of memory is protected bythe LSA, and it can never be put in the pagefile on the hard disk drive.When the user logs off the system,everything in the area of memory used for the credentials cache is flushed.The Kerberos SSP controls the credentials cache and is used to attain as well as renew tickets and keys.TheLSA is responsible for notifying the Kerberos SSP when these functions need to be performed.The LSA also keeps a copy of the user s hashed password in a secure portion of the registry while the user ishttp://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-08.html (1 of 3) [8/3/2000 6:52:09 AM]Configuring Windows 2000 Server Security:Kerberos Server Authenticationlogged on.Once the user logs off, the hashed password is discarded.The LSA keeps a copy of the hashedpassword in case the TGT expires; it then gives the Kerberos SSP a method of obtaining another TGTwithout prompting the user to input a password.This allows this task to be smoothly accomplished in thebackground.DNS Name ResolutionMicrosoft Kerberos depends on the Domain Name System (DNS) to find an available KDC to send the initialauthentication request.All Windows 2000 domain controllers are KDCs, and the KDC is registered as_kerberos._udp.nameofDNSdomain in the DNS service location record (SRV record).Clients can query forthis SRV record to locate the IP address for computers running the KDC service.A client that cannot find theSRV record can query for a host record (A record), using the domain name.If a Windows 2000 computer is a member of a different Kerberos realm (not a Windows 2000 domain) thenit cannot look for the SRV record.In this case, the name of the KDC server is stored in the registry of theWindows 2000 computer.When the computer needs to locate the KDC, the Microsoft Kerberos SSP locatesthe domain name for the KDC server from the registry and then uses DNS to find out the IP address for thesystem.UDP and TCP PortsWhen a client sends Kerberos messages to the KDC, it defaults to using User Datagram Protocol (UDP) port88 as long as certain criteria are met.On an Ethernet network the Maximum Transmission Unit (MTU) thatcan be carried is 1500 bytes.If the Kerberos message is smaller than 1472 bytes, Microsoft Kerberos usesUDP as the transport mechanism.If the message is between 1473 bytes and 2000 bytes, IP fragments theframe over UDP on port 88.If the Kerberos message is over 2000 bytes, it is sent by the TransmissionControl Protocol (TCP) on port 88.RFC 1510 states that UDP port 88 should be used for all Kerberosmessages, but since Microsoft Kerberos messages may very well be more than 2000 bytes, because user andgroup SIDs are included, Microsoft also uses TCP port 88.A draft revision to RFC 1510 has been submittedto the Internet Engineering Task Force (IETF) proposing the use of TCP port 88, but it has not been includedin the formal RFC yet.Interoperability should not be affected with other Kerberos realms; thecommunications are between Windows 2000 computers only.Authorization DataKerberos only verifies the identity of principals; it does authorize the resources they can use.A field isavailable in Kerberos tickets for authorization data, but Kerberos does not control what information is placedin the field or what should be done with the information.KDC and Authorization DataThe authorization data field in a Microsoft Kerberos ticket contains a list of SIDs for the user, includinggroup SIDs.This information is retrieved by the KDC from the Active Directory and placed in the TGTgiven to the client.When the client requests a session ticket (or service ticket, in Microsoft parlance), theKDC copies the data from the authorization data field of the TGT over into the session ticket.Theauthorization data is signed by the KDC before the data is stored in the session ticket so that the LSA candetect whether the data has been modified.The LSA checks each session ticket to ensure that the signature isvalid.Services and Authorization DataAn access token is created after the credentials in a session ticket have been verified by the network server onwhich the service resides.The PAC is extracted from the session ticket and is used to construct animpersonation token that is used to access the service on the server.The impersonation token is presented tothe service, and as long as the information in the PAC matches the data contained in the Access Control List(ACL) for the service, access is granted.Previous Table of Contents Nexthttp://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-08.html (2 of 3) [8/3/2000 6:52:09 AM]Configuring Windows 2000 Server Security:Kerberos Server AuthenticationProducts | Contact Us | About Us | Privacy | Ad Info | HomeUse of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.All rightsreserved.Reproduction whole or in part in any form or medium without express written permission ofEarthWeb is prohibited.Read EarthWeb's privacy statement.http://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-08 [ Pobierz caÅ‚ość w formacie PDF ]