Kerberos Authentication and Trust

The Kerberos authentication protocol is a technology for single sign-on to network resources. Windows 2000 uses the Kerberos v5 protocol to provide fast, single sign-on to network services within a domain, and to services residing in trusted domains. Kerberos protocol verifies both the identity of the user and of the network services, providing mutual authentication.

How Kerberos Authentication Works

When a user enters domain credentials (by user name and password or smart card logon), Windows 2000 locates an Active Directory server and Kerberos authentication service. The Kerberos service issues a "ticket" to the user. This is a temporary certificate containing information that identifies the user to network servers. After the initial interactive logon, the first Kerberos ticket is used to request other Kerberos tickets to log on to subsequent network services. This process is complex and involves mutual authentication of the user and the server to one another, but it is completely transparent to the user. (For more information about Kerberos v5 authentication, see Windows 2000 Server Help.)

Kerberos authentication reduces the number of passwords a user needs to remember, and thereby reduces the risk of identity interception. Trust relationships between domains in a forest extend the scope of Kerberos authentication to a wide range of network resources.

Implementing Kerberos Authentication

There are no prerequisites for implementing Kerberos authentication. The Kerberos protocol is used pervasively in Windows 2000. You do not need to install or initiate it.

Kerberos security policy parameters can be set in the Group Policy snap-in to MMC. Within a Group Policy object, the Kerberos settings are located under Account Policies:

 — Computer Configuration

 — Windows Settings

  — Security Settings

  — Account Policies

   — Kerberos Policy

These settings must be used only by qualified administrators who are familiar with the Kerberos protocol.

Considerations about Kerberos Security

To reap the full benefits of the enhanced performance and security of Kerberos authentication, consider deploying Kerberos sign in as the only network logon protocol in your enterprise. Windows 2000 implements the IETF standard version of Kerberos v5 authentication protocol for cross-platform interoperability. For example, users on UNIX systems can use Kerberos credentials to log on to UNIX systems and to securely connect to Windows 2000 services for applications that are enabled by Kerberos authentication. Enterprise networks that already use Kerberos authentication based on UNIX realms can create trust relationships with Windows 2000 domains and integrate Windows 2000 authorization for UNIX accounts using Kerberos name mapping.

Note that computers on a Kerberos-authenticated network typically must have their time settings synchronized with a common time service within five minutes, or authentication fails. Windows 2000 computers automatically update the current time using the domain controller as a network time service. Domain controllers use the primary domain controller for the domain as the authoritative time service. Even if the current time is different on computers within a domain, or across domains, Windows 2000 automatically handles clock differences to avoid logon problems.

When using transitive trust between domains in a forest, the Kerberos service searches for a trust path between the domains to create a cross-domain referral. In large trees it might be more efficient to establish cross-links of bidirectional trusts between domains where there is a high degree of cross-domain interaction. This permits faster authentication by giving the Kerberos protocol "shortcuts" to follow when generating the referral message.

Kerberos authentication uses transparent transitive trust among domains in a forest, but it cannot authenticate between domains in separate forests. To use a resource in a separate forest, the user has to provide credentials that are valid for logging on to a domain in that forest. Alternatively, if a one-way trust relationship exists, applications will use NTLM authentication, if the security policy permits.

Windows 2000 still maintains compatibility with the NTLM authentication protocol to support compatibility with previous versions of Microsoft operating systems. You can continue to use NTLM for Microsoft® Windows® 95, Microsoft® Windows® 98, Microsoft® Windows® NT 4.0 Server, and Windows NT 4.0 Workstation clients. NTLM authentication is also used on Windows 2000 by applications designed for previous versions of Windows NT that specifically request NTLM security.