Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
NOSes /

Kerberos and Windows 2000

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

By Dave Kearns
Network World Windows Networking Newsletter, 03/13/00

There has been much gnashing of teeth in the Unix community in the past few weeks over Microsoft's implementation of Kerberos for security in Windows 2000. What's it all about?

Kerberos has generally been used for authentication, to identify users. The user provides the Kerberos server with some proof of identity (password, biometric and/or smart token) and receives credentials, called a "ticket." The ticket can be used to authenticate in the background to any server or service for which the user has been given access. Note that this is a very simplified explanation of the process.

In a Unix environment, Kerberos is generally not used for authorization purposes, only for authentication. But the specification for Kerberos includes a field ("authdata") which is intended to carry authorization data - that is, the rights and privileges of the authenticated user, or a path to where they can be found, or perhaps something else. The problem is that the contents for this field have never been specified.

Microsoft, however, uses this field in its implementation of Kerberos for Win 2000 to actually carry authorization data. When an authenticated user attempts to use a server or service in the network, the server will examine the Kerberos ticket to discover which rights that user has.

Unfortunately, Microsoft provides no means for non-Win 2000 Kerberos servers to fill this field in a way that will be recognized by Win 2000 servers. That's the part Unix vendors are upset about.

So Microsoft hasn't modified the specification to create some proprietary form of Kerberos. At most, the company is guilty of not playing fair, by not allowing other Kerberos servers to fully participate. When this was pointed out, Microsoft agreed that either the details of the data in this field should be made public, or perhaps a way can be found to allow other servers to issue the proper credentials. While nothing has changed as of today, Microsoft has committed to playing fair and should soon provide vendors with a mechanism to fully participate in Kerberos authentication and authorization in a heterogeneous Win 2000 network.

RELATED LINKS

Dave Kearns is a writer and consultant in Silicon Valley. His most recent book is "Peter Norton's Complete Guide to Networks" published by SAMS. Dave's company, Virtual Quill, provides content services to network vendors: books, manuals, white papers, lectures and seminars, marketing, technical marketing and support documents. Virtual Quill provides "words to sell by..." Find out more at Virtual Quill or by e-mail at info@vquill.com

Windows 2000 Kerberos Authentication

Windows 2000 Kerberos Interoperability

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability

Archive of Network World on Windows NT newsletters


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.