- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Service Packs
  Articles & Whitepapers
  Books on Security
  Disaster Recovery
  FAQ's & Tutorials
  Incident Response
  Intrusion Detection
  Legal Resources
  Online Seminars
  Password Security
  Penetration Testing
  Security Links
  Securing Networks
  Social Engineering











Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed at the Massachusetts Institute of Technology (MIT) in the 1980s to provide proof of identity on a network. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. Rather than Kerberos' usual password-hash-based secret key, Microsoft chose to add its own extensions, which makes its implementation of Kerberos slightly nonstandard, but still allows for authentication with other networks that use Kerberos 5.
Where to Start:
Answers to Frequently Asked Kerberos Questions
Microsoft Knowledge Base Article: 266080 - This article answers frequently asked questions about the Microsoft Windows 2000 implementation of the Kerberos V5 authentication protocol. 

Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Microsoft Knowledge Base Article: 217098 - Describes Kerberos user authentication in Windows 2000. 

Information About the Windows 2000 Kerberos Implementation
Microsoft Knowledge Base Article: 248758 - The latest Request for Comment (RFC) submissions that document some of the ways Kerberos is used in Windows 2000.

Introduction to Kerberos
Microsoft Knowledge Base Article Online Support site WebCast This presentation describes the fundamental characteristics of Kerberos in a Microsoft Windows 2000 environment. Some interoperability features with Kerberos in Windows 2000 are also discussed. 

MIT's Kerberos Information Page
The official home page for Kerberos information.

Moron's Guide to Kerberos
A brief guide to Kerberos by Brian Tung. Covers what it's for, how it works, how to use it. It is not for system administrators who want to know why they can't make the latest release, nor is it for applications programmers who want to know how to use the interface. It certainly isn't for Kerberos hackers. You know who you are.

Kerberos Explained
Article from the May 2000 issue of Windows 2000 Advantage magazine. Although this article is billed as a primer to Kerberos authentication, it is a high technical review. Kerberos is an integral part of Windows 2000 Active Directory implementations, and anyone planning to deploy and maintain a Windows 2000 enterprise must have a working knowledge of the principals and administrative issues involved in this front-line security technology.

Kerberos FAQ
The official newsgroup Frequently Asked Questions about the Kerberos security protocol

Kerberos in Win2K
Discover the key features of Microsoft's Win2K Kerberos implementation. Source: Windows & .NET Magazine (Oct 1999)

Kerberos Security in Windows 2000
Zubair Ahmad takes a look at Kerberos 5, Windows 2000's primary authentication protocol, and explains how Kerberos security works. Source: Windows 2000 Magazine (Oct 1997)

Kerberos Transitive Trust Examined
Follow the author as he steps you through the Kerberos authentication process in a tree containing five domains. Source: Windows 2000 Magazine (Oct 1999)

Sharing a Secret: How Kerberos Works
A cool graphical representation of the Kerberos authentication process in PDF format. Source: ComputerWorld

Understanding Windows 2000 Network Access Security and Kerberos
Windows 2000 expert William Boswell discusses network security and Kerberos. Source: InformIT (March 16, 2001)

Windows 2000 Kerberos Authentication 
This downloadable whitepaper provides a technical introduction to how the Windows© 2000 operating system implements the Kerberos version 5 authentication protocol and includes detailed explanations of important concepts, architectural elements, and features of Kerberos authentication. Source:

Useful Articles..
Admission Control Service Domain Name Requirements in Kerberos Environment Other Than Windows 2000
Microsoft Knowledge Base Article: 254111 - Explains the requirements for specifying a domain name for the Windows 2000 Quality of Service (QoS) Admission Control Service to operate in a Kerberos authentication environment that is not Windows 2000-based. 

Can Kerberos remain an open standard?
A look at the open IETF standards and Microsoft's changes to Kerberos in the name of innovation. Is Microsoft really improving Kerberos, or attempting to make a proprietary version? Source: Windows IT Security (March 9, 2000)

Description of Kerberos Policies in Windows 2000
Microsoft Knowledge Base Article: 231849 - In Windows 2000, Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). Kerberos policy is stored in Active Directory as a subset of the attributes of a domain security policy. 

Description of PKINIT Version Implemented in Kerberos in Windows 2000
Microsoft Knowledge Base Article: 248753 - PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public Key Cryptography for Initial Authentication in Kerberos." Windows 2000 uses this protocol when you use a smart card for interactive logon.

Forcing Kerberos to Use TCP Rather Than UDP in Windows 2000 
Microsoft Knowledge Base Article: 244474 - The Windows 2000 Kerberos Authentication package is the default in Windows 2000. It coexists with challenge/response (NTLM) and is used in instances in which both a client and server can negotiate Kerberos. 

How to Enable Kerberos Event Logging
Microsoft Knowledge Base Article: 262177 - Windows 2000 offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. This article describes how to enable Kerberos event logging.

Information on the Transitivity of a Kerberos Realm Trust
Microsoft Knowledge Base Article: 260123 - This article discusses the transitivity of a trust formed between a Microsoft Windows 2000 domain and a Kerberos realm.

Kerberos Administration in Windows 2000
Microsoft Knowledge Base Article: 232179 - The Windows 2000 implementation of the Kerberos Authentication protocol does not require extensive administration or configuration. Because it is the default authentication package, it is installed automatically on all Microsoft Windows 2000 

Kerberos: Computer Security's Hellhound
Kerberos is a tried and true open source security standard, but will interoperability problems dog the Microsoft implementation? Source: Network Computing

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
Examines the use of the Kerberos interoperability features with the Windows 2000 operating system. Source: Microsoft

Using Uppercase Letters for Kerberos Realm Names
Microsoft Knowledge Base Article: 248807 -
All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name. 

Windows 2000 Kerberos Authentication
Downloadable whitepaper in Word format which provides a technical introduction to how the Windows© 2000 operating system implements the Kerberos version 5 authentication protocol. The paper includes detailed explanations of important concepts, architectural elements, and features of Kerberos authentication. The first section, ©Overview of the Kerberos Protocol,? is for anyone unfamiliar with Kerberos authentication. Following this introduction to the protocol are several sections with details of Microsoft?s implementation in Windows 2000. The paper concludes with a brief discussion of requirements for interoperability with other implementations. Source: Microsoft (June 1999)

Windows 2000 Kerberos Interoperability Overview
Microsoft receives many inquiries about Kerberos interoperability in Windows 2000 Server operating systems. This marketing bulletin describes the Microsoft position and provides background information on Kerberos and Windows 2000 Server.

Windows 2000 Kerberos Interoperability
White paper which describes common scenarios for interoperability between Windows 2000 and other Kerberos implementations.

Known Issues:
Administrator Account Is Not Usable by Non-Windows 2000 Kerberos Clients
Microsoft Knowledge Base Article: 248808 - All Windows 2000 user accounts are also Kerberos principal names. This allows non-Windows-based implementations of Kerberos to use a Windows 2000 domain as a Kerberos realm. 

Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000
Microsoft Knowledge Base Article: 274438 - This article describes why you cannot use internal Kerberos trust relationships between two forests in Windows 2000. 

Clients Cannot Log On by Using Kerberos over TCP 
Microsoft Knowledge Base Article: 320903 - Clients cannot log on to the domain if the clients use Kerberos over Transport Control Protocol (TCP). Clients that use Kerberos over User Datagram Protocol (UDP) can log on correctly. 

Client Performance Is Inconsistent in a Windows 2000-Based Domain That Uses Kerberos Authentication 
Microsoft Knowledge Base Article: 279637 - When you log on to a Windows 2000-based client that belongs to a Windows 2000-based domain, and the domain uses Kerberos authentication, you may encounter inconsistent performance. 

IPSec Does Not Secure Kerberos Traffic Between Domain Controllers
Microsoft Knowledge Base Article: 254728 - The IP Security Protocol (IPSec) does not secure Kerberos or RSVP traffic between Windows 2000 domain controllers, even when the IPSec policy filter is configured to match all IP traffic between the two IP addresses. 

Kerberos Authentication May Not Work If User Is a Member of Many Groups
Microsoft Knowledge Base Article: 280830 - If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources. 

Kerberos Change Password Does Not Work When Account Password Expires
Microsoft Knowledge Base Article: 253532 - When your password expires, you may be unable to change it using the Kerberos Change Password mechanism. 

Kerberos Interoperability--New Realms are Not Propagated Properly
Microsoft Knowledge Base Article: 253531 - When a Kerberos realm is added to the realm list, it may not be updated until the client is rebooted. This problem can occur when interfacing with third-party Kerberos implementations. 

Kerberos Negative Caching Causes Logon to Not Be Retried on PDC  
Microsoft Knowledge Base Article: 306131 - When a DC that is not the PDC fails an authentication with STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE or STATUS_ACCOUNT_LOCKED_OUT (collectively referred to later as BAD_PASSWORD_STATUS -, the logon is retried at the PDC. In Windows 2000 Service Pack 2 (SP2), the Kerberos authentication package implements a negative-caching mechanism that would stop the forwarding of requests to the PDC if any of the preceding BAD_PASSWORD_STATUS statuses were returned after 1 logon request for a period of 5 minutes. This was implemented to help reduce the number of logon requests handled on the PDC. (updated 10/18/2001)

Trust Does Not Work Between Windows 2000 and MIT Kerberos
Microsoft Knowledge Base Article: 266082 - When you attempt to create a trust between Windows 2000 and a MIT Kerberos realm, and you have disabled NetBIOS over Transmission Control Protocol/Internet Protocol (TCP/IP), the trust does not work and you may receive the following error messages 

Using Uppercase Letters for Kerberos Realm Names
Microsoft Knowledge Base Article: 248807 - All Windows 2000 domains are also Kerberos realms. However the realm name is always the all uppercase version of the domain name. There is no way to have a Kerberos realm name that is different from the domain name. 


Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.