Learn about kerberos protocol, helps us to understand the principles of the late bills gold and silver notes
kerberos protocol
kerberos is a network authentication protocol One proposed by the Massachusetts Institute of Technology. It is designed to provide strong authentication for client / server applications by using secret-key cryptography.
kerberos protocol consists of three main roles:
(1) Access Service Client (Client what is expressed or user)
(2) provide services Server (it described as service)
(3) the KDC (Key Distribution's Center) Key Distribution Center
Where the KDC service is installed by default on a domain controller in the domain , and the Client and Server for the domain users or services, such as HTTP Services, SQL Services, Remote Desktop Services. Is there authority in the Client Access Server kerberos end of the KDC service has issued bills decision
Kerberos working process
(
1) AS_REQ: Client initiates a request to the KDC AS_REQ content by Client timestamp encrypted password Hash, the ClientID, network address, type of encryption and so on.
(2) AS_REP: KDC decrypts using Clienthash and ntds.dit lookup the account, if the result is returned correctly with krbtgtNTLM-hash encrypted TGT ticket , which contains TGT the PAC , the PAC contains the Client sid, where Client Group .
PAC stands Pr ivilege A ttribute Certificate (Patent ownership certificate).Different accounts have different permissions, PAC is to distinguish different privileges way.
(3) TGS_REQ: Client With TGT ticket initiate a request for a particular service to the KDC TGS_REQ
(4) TGS_REP: KDC using krbtgt NTLM-hash is decrypted, if the result is correct, it returns with a service NTLM-hash encrypted TGS bills , and bring PAC (this step regardless of the user has no access to the service, as long as TGT is correct, TGS return ticket)
TGT: authentication ticket
TGS: issuing service
TGS tikcet: behind the service ticket referred ST (Service ticket)
(5) AP_REQ: Client holding a ticket to the TGS request service
(6) AP_REP: service uses its own NTLM-hash decrypt TGS ticket. If the decryption is correct, it took the PAC to go over there and asked KDC Client has no access to the domain controller decrypt the PAC. Client acquisition of sid, and the group is located, and then according to the ACL of the service, to determine whether Client has access to the service.
In Kerberos authentication, the main outcome of two issues
The first question: How do you prove that I am a user of XXX question the responsibility of the Authentication Server
The second question: How Served know that you have access to the services it provides . When a Client to access a service on Server server, Server how to determine whether Client has permission to access the service on your own host. The responsibility of the Ticket Granting Server
