Answers to frequently asked Kerberos questions

Article translations Article translations
Article ID: 266080 - View products that this article applies to.
This article was previously published under Q266080
Expand all | Collapse all

On This Page

SUMMARY

This article answers frequently asked questions about the Microsoft Windows 2000 implementation of the Kerberos V5 authentication protocol.

MORE INFORMATION

Question

Is the Windows 2000 Kerberos implementation interoperable with other Kerberos implementations?

Answer

The Windows 2000 implementation of Kerberos was developed based on the following RFCs:

Kerberos

http://www.ietf.org/rfc/rfc1510.txt?number=1510

GSSAPI Kerberos V5 Mechanism

http://www.ietf.org/rfc/rfc1964.txt?number=1964

Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that interoperability exists for a number of scenarios that are described in the following Windows 2000 Kerberos Interoperability whitepaper:
http://technet.microsoft.com/en-us/library/bb742432.aspx
Interoperability testing has also occurred with Heimdal, CyberSafe, IBM and Sun implementations.

The Microsoft Windows 2000 Kerberos implementation is compliant with the following RFCs:
http://www.ietf.org/rfc/rfc1510.txt?number=1510http://www.ietf.org/rfc/rfc1964.txt?number=1964
The Microsoft Windows 2000 implementation of Kerberos V5 does not contain support for Kerberos V4.

Question

How do I setup a cross-realm trust to a Windows 2000 domain?

Answer

The steps are outlined in the Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
http://technet.microsoft.com/en-us/library/bb742433.aspx

Question

Does Windows 2000 support Kadmin?

Answer

No, Windows 2000 supports Lightweight Directory Access Protocol (LDAP) for account administration.

Question

What password changing protocol does Windows 2000 support for Kerberos clients?

Answer

Windows 2000 implements the Kerberos Change Password protocol as described in the Internet Draft draft-ietf-cat-kerb-chg-password-02.txt. This protocol is also implemented in MIT krb5-1.1.1.

Note A copy of the Internet Draft referenced above can be found in the sample file link at the bottom of this Web page link.

Question

How does Windows 2000 locate the Key Distribution Centers (KDCs)?

Answer

Windows 2000 clients use Domain Name System (DNS) SRV records to locate domain controllers in a domain, and they attempt to resolve the _ldap._tcp.dc._msdcs SRV records. Windows 2000 domain controllers also publish SRV records for _kerberos and _kpasswd services. The list of published SRV records can be found on a domain controller in the following file:
%Windir%\System32\Config\Netlogon.dns

Question

Does Windows 2000 support General Security Service Application Programming Interface (GSSAPI) (RFC-2743)?

Answer

Microsoft supports the Security Support Provider Interface (SSPI) which is semantically similar to the GSSAPI, but syntactically different. For additional information about SSPI, see the Microsoft Windows Platform SDK. The protocol used by Kerberos Security Support Provider (SSP) is the same as that used by the GSSAPI Kerberos5 mechanism defined in the following RFC:
http://www.ietf.org/rfc/rfc1964.txt?number=1964

Question

Does Windows 2000 support Krb5 Application Programming Interfaces (API)s?

Answer

No. The only Kerberos interfaces that Windows 2000 supports are through the SSPI and the LsaCallAuthenticationPackage() ticket interfaces documented in the Windows Platform SDK. The SSPI interfaces are equivalent to the Kerberos GSSAPI and produce an application that uses the GSSAPI/kerberos5 mechtype (RFC-1964) on the wire. The LsaCallAuthentication package interfaces provide a mechanism to retrieve tickets from the Kerberos ticket cache.

Question

What extensions did Microsoft make to Kerberos?

Answer

Microsoft has implemented the following extensions which are published as IETF Internet Drafts:

Kerberos Set Password protocol:
http://www.ietf.org/rfc/rfc3244.txt

Question

What is in the Kerberos ticket authorization data?

Answer

The authorization data in the Kerberos ticket was intended by the following RFC authors to implement vendor-specific authorization data:
http://www.ietf.org/rfc/rfc1510.txt?number=1510
Windows 2000 uses this field to hold data specific to its distributed security mechanism. This is described in the Windows 2000 Server Distributed Systems Guide pages 667-669. Information on intended use of the authorization field is located in the following RFC:
http://www.ietf.org/rfc/rfc1510.txt?number=1510

Question

How does Windows 2000 keep system clocks synchronized?

Answer

Windows 2000 clients use the following version of Simple Network Time Protocol (SNTP):
http://www.ietf.org/rfc/rfc1769.txt?number=1769
Time synchronization uses Universal Time Coordinate (UTC) which is time zone independent. A computer determines its time source by following a complex algorithm involving sites, domains, PDC FSMO, and Reliable Time Servers. The time service is controlled by using the net time command. The act of joining a domain enables the Windows 2000 Time service so that it automatically starts at boot. When communicating with Windows 2000 computers, time packets are secured with a signed hash of the time information. Security is based on the Windows NT secure channel and signature key is determined by the machine account of the client.

Question

What encryption types does Windows 2000 support?

Answer

Windows 2000 supports the following encryption types:

RC4-HMAC

DES-CBC-CRC

DES-CBC-MD5

Kerberos Encryption Key Lengths:
Collapse this tableExpand this table
AuthenticationSigningPrivacy
RC4-HMAC12812856 (128 w/ the High Encryption Pack installed
DES-CBC-CRC565656
DES-CBC-MD5565656

Question

How do I find out what Kerberos tickets I have?

Answer

The Kerberos tickets are kept in ticket cache by the LSA, and the cache is destroyed when the user logs out. Only the logged on user has access to the tickets in the cache. The Resource Kit utilities Klist.exe or Kerbtray.exe can be used to examine the tickets in the cache.

Question

Does Windows 2000 support Pkinit?

Answer

Windows 2000 Kerberos provides an implementation of Pkinit draft version 9. The specific use of Pkinit in Windows 2000 is constrained to supporting SmartCard logon. Pkinit has not been tested with other implementations since the release of Windows 2000.

Question

What are the default ticket lifetimes?

Answer

The default ticket lifetimes are controlled at the domain level by using domain policy. The defaults are:
  • MaxServiceTicketAge: 10 hours
  • MaxTicketAge: 10 hours
  • MaxRenewAge: 7 days
  • MaxClockSkew: 5 minutes

Question

What does Enforce Logon Restrictions mean?

Answer

There is a setting for the Kerberos policy called Enforce Logon Restrictions. With this setting enabled, every time a user uses a ticket-granting-ticket (TGT) to request a ticket, the account is checked to see if it is still valid. That would prevent a disabled account from obtaining new session tickets.

Question

How do I use delegation?

Answer

Delegation permits a service to act as the user with that user's access to network resources. This requires the client to forward a user's TGT to the service so that it can request tickets from a KDC on behalf of the user. Since the service is able to act as the user, it is important that the service be trusted before giving it your TGT. Windows 2000 has controls that can limit when a service provides a user's TGT when delegation is requested.

The Kerberos revisions Internet Draft specifies a new ticket flag - "OK as delegate". The Windows 2000 KDC sets this flag in service tickets that have the Trusted for delegation account control flag set. If the service ticket has the OK as delegate flag set, then the SSPI forwards the user's TGT to the service if the SSPI program requested delegation. If the ticket flag is not set, then the SSPI delegation flag is ignored and the TGT is not forwarded.

If you are running with a KDC that does not set the ticket flag, you can set the RealmFlags in the registry configuration for the external realm to trust the realm for delegation. Setting the RealmFlags flag to a value of 4 enables this feature.

For additional information about the RealmFlags registry setting, see the Windows 2000 Registry Reference (Regentry.chm) included in the Windows 2000 Resource Kit.

Question

Does Windows 2000 support SPNEGO (RFC-2478)?

Answer

Yes. The Negotiate SSP implements SPNEGO. The Negotiate SSP is the common default package that most programs use in Windows 2000.

Question

Are Telnet and File Transfer Protocol (FTP) clients in Windows 2000 Kerberized?

Answer

The Telnet and FTP services in Windows 2000 do not use Kerberos for authentication.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Properties

Article ID: 266080 - Last Review: February 28, 2007 - Revision: 7.5
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kb3rdparty kbfaq kbinfo kbkerberos KB266080

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com