荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Jobs (温少), 信区: WinNT
标 题: Windows 2000 Kerberos Authentication
发信站: BBS 荔园晨风站 (Sun Nov 28 15:16:58 1999), 站内信件
Windows 2000 Kerberos Authentication
Posted: Friday, July 09, 1999
The next generation of the Microsoft? Windows? operating system will adopt
Kerberos as the default protocol for network authentication. An emerging
standard, Kerberos provides a foundation for interoperability while enhancing
the security of enterprise-wide network authentication. Windows 2000 implements
Kerberos version 5 with extensions for public key authentication. The Kerberos
client is implemented as a security provider through the Security Support
Provider Interface. Initial authentication is integrated with the Winlogon
single sign-on architecture. The Kerberos Key Distribution Center (KDC) is
integrated with other Windows 2000 security services running on the domain
controller and uses the domain抯 Active DirectoryTM directory service as its
security account database. This white paper examines components of the protocol
and provides detail on its implementation.
--------------------------------------------------------------------------------
Download this document in Microsoft Word (.doc) format (self-extracting .exe
file, 143k ).
--------------------------------------------------------------------------------
Introduction
This paper provides a technical introduction to how the Microsoft? Windows?
2000 operating system implements the Kerberos version 5 authentication
protocol. The paper includes detailed explanations of important concepts,
architectural elements, and features of Kerberos authentication. The first
section, 揙verview of the Kerberos Protocol,? is for anyone unfamiliar with
Kerberos authentication. Following this introduction to the protocol are
several sections with details of Microsoft抯 implementation in Windows 2000.
The paper concludes with a brief discussion of requirements for
interoperability with other implementations.
Authentication in Windows 2000
Windows 2000 supports several protocols for verifying the identities of users
who claim to have accounts on the system, including protocols for
authenticating dial-up connections and protocols for authenticating external
users who access the network over the Internet. But there are only two choices
for network authentication within Windows 2000 domains:
Kerberos Version 5. The Kerberos version 5 authentication protocol is the
default for network authentication on computers with Windows 2000.
Windows NT LAN Manager (NTLM) . The NTLM protocol was the default for network
authentication in the Windows NT? 4.0 operating system. It is retained in
Windows 2000 for compatibility with downlevel clients and servers. NTLM is also
used to authenticate logons to standalone computers with Windows 2000.
Computers with Windows 3.11, Windows 95, Windows 98, or Windows NT 4.0 will use
the NTLM protocol for network authentication in Windows 2000 domains. Computers
running Windows 2000 will use NTLM when authenticating to servers with Windows
NT 4.0 and when accessing resources in Windows NT 4.0 domains. But the protocol
of choice in Windows 2000, when there is a choice, is Kerberos version 5.
Benefits of Kerberos Authentication
The Kerberos protocol is more flexible and efficient than NTLM, and more
secure. The benefits gained by using Kerberos authentication are:
More efficient authentication to servers. With NTLM authentication, an
application server must connect to a domain controller in order to authenticate
each client. With Kerberos authentication, the server does not need to go to a
domain controller. It can authenticate the client by examining credentials
presented by the client. Clients can obtain credentials for a particular server
once and reuse them throughout a network logon session.
Mutual authentication. NTLM allows servers to verify the identities of their
clients. It does not allow clients to verify a server抯 identity, or one server
to verify the identity of another. NTLM authentication was designed for a
network environment in which servers were assumed to be genuine. The Kerberos
protocol makes no such assumption. Parties at both ends of a network connection
can know that the party on the other end is who it claims to be.
Delegated authentication. Windows services impersonate clients when accessing
resources on their behalf. In many cases, a service can complete its work for
the client by accessing resources on the local computer. Both NTLM and Kerberos
provide the information that a service needs to impersonate its client locally.
However, some distributed applications are designed so that a front-end service
must impersonate clients when connecting to back-end services on other
computers. The Kerberos protocol has a proxy mechanism that allows a service to
impersonate its client when connecting to other services. No equivalent is
available with NTLM.
Simplified trust management . One of the benefits of mutual authentication in
the Kerberos protocol is that trust between the security authorities for
Windows 2000 domains is by default two-way and transitive. Networks with
multiple domains no longer require a complex web of explicit, point-to-point
trust relationships. Instead, the many domains of a large network can be
organized in a tree of transitive, mutual trust. Credentials issued by the
security authority for any domain are accepted everywhere in the tree. If the
network includes more than one tree, credentials issued by a domain in any tree
are accepted throughout the forest.
Interoperability . Microsoft抯 implementation of the Kerberos protocol is based
on standards-track specifications recommended to the Internet Engineering Task
Force (IETF). As a result, the implementation of the protocol in Windows 2000
lays a foundation for interoperability with other networks where Kerberos
version 5 is used for authentication.
--------------------------------------------------------------------------------
Download this document in Microsoft Word (.doc) format (self-extracting .exe
file, 143k ).
--------------------------------------------------------------------------------
Last Updated: Wednesday, November 03, 1999
? 1999 Microsoft Corporation. All rights reserved. Terms of use.
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@192.168.11.73]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店