Kerberos Authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Kerberos V5 is the default authentication standard in Windows Server 2003 and Windows 2000 domains. This method of authentication can be used by any computer in the domain or a trusted domain. Also, because the Kerberos protocol is no longer a default exemption, if you want to enable Kerberos authentication, you must create filters in the IPSec policy that explicitly allow all traffic to your domain controllers.

For IKE Kerberos authentication to be used successfully in Windows 2000 and Windows Server 2003 cross-forest trust configurations, you must use FQDNs when configuring external trusts. In addition, you must configure the IPSec policy on both computers to allow an IKE initiator to communicate to any domain controller in the forest domain hierarchy, so that the initiator can obtain a ticket from a domain controller in the responder’s domain.

It is recommended that you use Kerberos authentication in a two-way (mutual) domain and forest trust environment. Although one-way domain and forest trusts are supported, it is not recommended to use Kerberos in this type of trust environment. If you do, you must design the IPSec policy to ensure that the IKE initiator can obtain a ticket from a domain controller in the responder’s domain. Also, traffic might be lost if IKE fails to rekey main mode negotiations in the opposite direction. Because an IKE main mode negotiation is performed on demand when quick mode negotiations are rekeyed, when configuring lifetimes in kilobytes (KBs) for the associated filter action, use as high a value as possible to minimize rekey authentication failures. If you are using ESP DES or 3DES for encryption, you can set the lifetime value to as high as 200,000 KB (200 megabytes). If you set a higher value, however, the risk of a sophisticated attacker gaining knowledge of the 56-bit encryption keys increases. If you are using ESP or AH for integrity and authenticity, you can set the value to as high as 2 gigabytes because the key sizes are much larger for MD5 (128-bit) and SHA1 (160-bit).

By default, when Kerberos authentication is used, the Access this computer from the network or Deny this computer access from the networklogon right (defined in Group Policy) is evaluated. This evaluation is only performed by the IKE main mode responder (the computer that receives the ticket and must determine whether accept it). Typically, clients obtain Kerberos tickets to access a server. Likewise, the IPSec policy must contain filters that will trigger the IKE negotiation from the IKE initiator, the client that is requesting IPSec access to the server. The server can then use these logon rights to restrict access to certain client computer security groups. However, if IKE rekeys main mode negotiations, the server does not evaluate these rights.