This article answers frequently asked questions about the Microsoft Windows 2000 implementation of the Kerberos V5 authentication protocol.
QuestionIs the Windows 2000 Kerberos implementation interoperable with other Kerberos implementations?
AnswerThe Windows 2000 implementation of Kerberos was developed based on the following RFCs:
GSSAPI Kerberos V5 Mechanismhttp://www.ietf.org/rfc/rfc1964.txt?number=1964
Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that interoperability exists for a number of scenarios that are described in the following Windows 2000 Kerberos Interoperability whitepaper:
The Microsoft Windows 2000 Kerberos implementation is compliant with the following RFCs:
QuestionHow do I setup a cross-realm trust to a Windows 2000 domain?
AnswerThe steps are outlined in the Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
QuestionDoes Windows 2000 support Kadmin?
AnswerNo, Windows 2000 supports Lightweight Directory Access Protocol (LDAP) for account administration.
QuestionWhat password changing protocol does Windows 2000 support for Kerberos clients?
AnswerWindows 2000 implements the Kerberos Change Password protocol as described in the Internet Draft draft-ietf-cat-kerb-chg-password-02.txt. This protocol is also implemented in MIT krb5-1.1.1.
Note A copy of the Internet Draft referenced above can be found in the sample file link at the bottom of this Web page link.
QuestionHow does Windows 2000 locate the Key Distribution Centers (KDCs)?
AnswerWindows 2000 clients use Domain Name System (DNS) SRV records to locate domain controllers in a domain, and they attempt to resolve the _ldap._tcp.dc._msdcs SRV records. Windows 2000 domain controllers also publish SRV records for _kerberos and _kpasswd services. The list of published SRV records can be found on a domain controller in the following file:
QuestionDoes Windows 2000 support General Security Service Application Programming Interface (GSSAPI) (RFC-2743)?
AnswerMicrosoft supports the Security Support Provider Interface (SSPI) which is semantically similar to the GSSAPI, but syntactically different. For additional information about SSPI, see the Microsoft Windows Platform SDK. The protocol used by Kerberos Security Support Provider (SSP) is the same as that used by the GSSAPI Kerberos5 mechanism defined in the following RFC:
QuestionDoes Windows 2000 support Krb5 Application Programming Interfaces (API)s?
AnswerNo. The only Kerberos interfaces that Windows 2000 supports are through the SSPI and the LsaCallAuthenticationPackage() ticket interfaces documented in the Windows Platform SDK. The SSPI interfaces are equivalent to the Kerberos GSSAPI and produce an application that uses the GSSAPI/kerberos5 mechtype (RFC-1964) on the wire. The LsaCallAuthentication package interfaces provide a mechanism to retrieve tickets from the Kerberos ticket cache.
QuestionWhat extensions did Microsoft make to Kerberos?
AnswerMicrosoft has implemented the following extensions which are published as IETF Internet Drafts:
Kerberos Set Password protocol：
QuestionWhat is in the Kerberos ticket authorization data?
AnswerThe authorization data in the Kerberos ticket was intended by the following RFC authors to implement vendor-specific authorization data:
QuestionHow does Windows 2000 keep system clocks synchronized?
AnswerWindows 2000 clients use the following version of Simple Network Time Protocol (SNTP):
QuestionWhat encryption types does Windows 2000 support?
AnswerWindows 2000 supports the following encryption types:
Kerberos Encryption Key Lengths:
|RC4-HMAC||128||128||56 (128 w/ the High Encryption Pack installed|
QuestionHow do I find out what Kerberos tickets I have?
AnswerThe Kerberos tickets are kept in ticket cache by the LSA, and the cache is destroyed when the user logs out. Only the logged on user has access to the tickets in the cache. The Resource Kit utilities Klist.exe or Kerbtray.exe can be used to examine the tickets in the cache.
QuestionDoes Windows 2000 support Pkinit?
AnswerWindows 2000 Kerberos provides an implementation of Pkinit draft version 9. The specific use of Pkinit in Windows 2000 is constrained to supporting SmartCard logon. Pkinit has not been tested with other implementations since the release of Windows 2000.
QuestionWhat are the default ticket lifetimes?
AnswerThe default ticket lifetimes are controlled at the domain level by using domain policy. The defaults are:
- MaxServiceTicketAge: 10 hours
- MaxTicketAge: 10 hours
- MaxRenewAge: 7 days
- MaxClockSkew: 5 minutes
QuestionWhat does Enforce Logon Restrictions mean?
AnswerThere is a setting for the Kerberos policy called Enforce Logon Restrictions. With this setting enabled, every time a user uses a ticket-granting-ticket (TGT) to request a ticket, the account is checked to see if it is still valid. That would prevent a disabled account from obtaining new session tickets.
QuestionHow do I use delegation?
AnswerDelegation permits a service to act as the user with that user's access to network resources. This requires the client to forward a user's TGT to the service so that it can request tickets from a KDC on behalf of the user. Since the service is able to act as the user, it is important that the service be trusted before giving it your TGT. Windows 2000 has controls that can limit when a service provides a user's TGT when delegation is requested.
The Kerberos revisions Internet Draft specifies a new ticket flag - "OK as delegate". The Windows 2000 KDC sets this flag in service tickets that have the
Trusted for delegation account control flag set. If the service ticket has the OK as delegate flag set, then the SSPI forwards the user's TGT to the service if the SSPI program requested delegation. If the ticket flag is not set, then the SSPI delegation flag is ignored and the TGT is not forwarded.
If you are running with a KDC that does not set the ticket flag, you can set the RealmFlags in the registry configuration for the external realm to trust the realm for delegation. Setting the RealmFlags flag to a value of 4 enables this feature.
For additional information about the RealmFlags registry setting, see the Windows 2000 Registry Reference (Regentry.chm) included in the Windows 2000 Resource Kit.
QuestionDoes Windows 2000 support SPNEGO (RFC-2478)?
AnswerYes. The Negotiate SSP implements SPNEGO. The Negotiate SSP is the common default package that most programs use in Windows 2000.
QuestionAre Telnet and File Transfer Protocol (FTP) clients in Windows 2000 Kerberized?
AnswerThe Telnet and FTP services in Windows 2000 do not use Kerberos for authentication.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Article ID: 266080 - Last Review: Mar 17, 2009 - Revision: 1