Kerberos

MIT's Kerberos Information Page
The official home page for Kerberos information.

Moron's Guide to Kerberos
A brief guide to Kerberos by Brian Tung. Covers what it's for, how it works, how to use it. It is not for system administrators who want to know why they can't make the latest release, nor is it for applications programmers who want to know how to use the interface. It certainly isn't for Kerberos hackers. You know who you are.

Kerberos Explained
Article from the May 2000 issue of Windows 2000 Advantage magazine. Although this article is billed as a primer to Kerberos authentication, it is a high technical review. Kerberos is an integral part of Windows 2000 Active Directory implementations, and anyone planning to deploy and maintain a Windows 2000 enterprise must have a working knowledge of the principals and administrative issues involved in this front-line security technology.

Kerberos FAQ
The official newsgroup Frequently Asked Questions about the Kerberos security protocol

Kerberos in Win2K
Discover the key features of Microsoft's Win2K Kerberos implementation. Source: Windows & .NET Magazine (Oct 1999)

Kerberos Security in Windows 2000
Zubair Ahmad takes a look at Kerberos 5, Windows 2000's primary authentication protocol, and explains how Kerberos security works. Source: Windows 2000 Magazine (Oct 1997)

Kerberos Transitive Trust Examined
Follow the author as he steps you through the Kerberos authentication process in a tree containing five domains. Source: Windows 2000 Magazine (Oct 1999)

Sharing a Secret: How Kerberos Works
A cool graphical representation of the Kerberos authentication process in PDF format. Source: ComputerWorld

Understanding Windows 2000 Network Access Security and Kerberos
Windows 2000 expert William Boswell discusses network security and Kerberos. Source: InformIT (March 16, 2001)

Windows 2000 Kerberos Authentication 
This downloadable whitepaper provides a technical introduction to how the Windows© 2000 operating system implements the Kerberos version 5 authentication protocol and includes detailed explanations of important concepts, architectural elements, and features of Kerberos authentication. Source:  Microsoft.com

Can Kerberos remain an open standard?
A look at the open IETF standards and Microsoft's changes to Kerberos in the name of innovation. Is Microsoft really improving Kerberos, or attempting to make a proprietary version? Source: Windows IT Security (March 9, 2000)

Description of Kerberos Policies in Windows 2000
Microsoft Knowledge Base Article: 231849 - In Windows 2000, Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). Kerberos policy is stored in Active Directory as a subset of the attributes of a domain security policy. 

Description of PKINIT Version Implemented in Kerberos in Windows 2000
Microsoft Knowledge Base Article: 248753 - PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public Key Cryptography for Initial Authentication in Kerberos." Windows 2000 uses this protocol when you use a smart card for interactive logon.

Forcing Kerberos to Use TCP Rather Than UDP in Windows 2000 
Microsoft Knowledge Base Article: 244474 - The Windows 2000 Kerberos Authentication package is the default in Windows 2000. It coexists with challenge/response (NTLM) and is used in instances in which both a client and server can negotiate Kerberos. 

How to Enable Kerberos Event Logging
Microsoft Knowledge Base Article: 262177 - Windows 2000 offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. This article describes how to enable Kerberos event logging.

Information on the Transitivity of a Kerberos Realm Trust
Microsoft Knowledge Base Article: 260123 - This article discusses the transitivity of a trust formed between a Microsoft Windows 2000 domain and a Kerberos realm.

Kerberos Administration in Windows 2000
Microsoft Knowledge Base Article: 232179 - The Windows 2000 implementation of the Kerberos Authentication protocol does not require extensive administration or configuration. Because it is the default authentication package, it is installed automatically on all Microsoft Windows 2000 

Kerberos: Computer Security's Hellhound
Kerberos is a tried and true open source security standard, but will interoperability problems dog the Microsoft implementation? Source: Network Computing

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
Examines the use of the Kerberos interoperability features with the Windows 2000 operating system. Source: Microsoft

Using Uppercase Letters for Kerberos Realm Names
Microsoft Knowledge Base Article: 248807 - All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name. 

Windows 2000 Kerberos Authentication
Downloadable whitepaper in Word format which provides a technical introduction to how the Windows© 2000 operating system implements the Kerberos version 5 authentication protocol. The paper includes detailed explanations of important concepts, architectural elements, and features of Kerberos authentication. The first section, ©Overview of the Kerberos Protocol,? is for anyone unfamiliar with Kerberos authentication. Following this introduction to the protocol are several sections with details of Microsoft?s implementation in Windows 2000. The paper concludes with a brief discussion of requirements for interoperability with other implementations. Source: Microsoft (June 1999)

Windows 2000 Kerberos Interoperability Overview
Microsoft receives many inquiries about Kerberos interoperability in Windows 2000 Server operating systems. This marketing bulletin describes the Microsoft position and provides background information on Kerberos and Windows 2000 Server.

Windows 2000 Kerberos Interoperability
White paper which describes common scenarios for interoperability between Windows 2000 and other Kerberos implementations.

Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000
Microsoft Knowledge Base Article: 274438 - This article describes why you cannot use internal Kerberos trust relationships between two forests in Windows 2000. 

Clients Cannot Log On by Using Kerberos over TCP 
Microsoft Knowledge Base Article: 320903 - Clients cannot log on to the domain if the clients use Kerberos over Transport Control Protocol (TCP). Clients that use Kerberos over User Datagram Protocol (UDP) can log on correctly. 

Client Performance Is Inconsistent in a Windows 2000-Based Domain That Uses Kerberos Authentication 
Microsoft Knowledge Base Article: 279637 - When you log on to a Windows 2000-based client that belongs to a Windows 2000-based domain, and the domain uses Kerberos authentication, you may encounter inconsistent performance. 

IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
Microsoft Knowledge Base Article: 254728 - The IP Security Protocol (IPSec) does not secure Kerberos or RSVP traffic between Windows 2000 domain controllers, even when the IPSec policy filter is configured to match all IP traffic between the two IP addresses. 

Kerberos Authentication May Not Work If User Is a Member of Many Groups
Microsoft Knowledge Base Article: 280830 - If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources. 

Kerberos Change Password Does Not Work When Account Password Expires
Microsoft Knowledge Base Article: 253532 - When your password expires, you may be unable to change it using the Kerberos Change Password mechanism. 

Kerberos Interoperability--New Realms are Not Propagated Properly
Microsoft Knowledge Base Article: 253531 - When a Kerberos realm is added to the realm list, it may not be updated until the client is rebooted. This problem can occur when interfacing with third-party Kerberos implementations. 

Kerberos Negative Caching Causes Logon to Not Be Retried on PDC  
Microsoft Knowledge Base Article: 306131 - When a DC that is not the PDC fails an authentication with STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE or STATUS_ACCOUNT_LOCKED_OUT (collectively referred to later as BAD_PASSWORD_STATUS -, the logon is retried at the PDC. In Windows 2000 Service Pack 2 (SP2), the Kerberos authentication package implements a negative-caching mechanism that would stop the forwarding of requests to the PDC if any of the preceding BAD_PASSWORD_STATUS statuses were returned after 1 logon request for a period of 5 minutes. This was implemented to help reduce the number of logon requests handled on the PDC. (updated 10/18/2001)

Trust Does Not Work Between Windows 2000 and MIT Kerberos
Microsoft Knowledge Base Article: 266082 - When you attempt to create a trust between Windows 2000 and a MIT Kerberos realm, and you have disabled NetBIOS over Transmission Control Protocol/Internet Protocol (TCP/IP), the trust does not work and you may receive the following error messages 

Using Uppercase Letters for Kerberos Realm Names
Microsoft Knowledge Base Article: 248807 - All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name.