Security

  • Article

Kerberos v5 is the primary security protocol for authentication within a domain. The Kerberos v5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.

The Kerberos v5 authentication mechanism issues a ticket-granting ticket (TGT) thatis used to get service tickets (STs) thatprovide access to network services. These tickets contain encrypted data, including an encryption password that confirms the users identity to the requested service. Except for entering an initial password or smart card credentials, the authentication process is transparent to the user. The general Kerberos Authentication process includes the following processes:

  • The user on a client system, using a password or a smart card, authenticates to the Key Distribution Center (KDC). The KDC runs on each domain controller as part of Active Directory.

  • The KDC issues a special ticket-granting ticket to the client. The client system uses this TGT to access the ticket-granting service (TGS), which is part of the Kerberos v5 authentication mechanism on the domain controller. The ticket-granting service then issues a service ticket to the client.

  • The client presents this service ticket to the requested network service. The service ticket proves both the users identity to the service and the services identity to the user.

For more information about how Kerberos v5 provides authentication, see the Windows 2000 Server Resource Kit .