How Kerberos user-to-user authentication works?

The Kerberos user-to-user (U2U) authentication mechanism enables a client to authenticate to a service that is not in possession of the long-term secret key. U2U allows one principal to authenticate using a ticket encrypted with the session key from a TGT issued to another principal. This article discusses the messages involved in the mechanism. It…


MS-FSU: A look from the Windows interface

  It is not unusual for our group to receive a question regarding Constrained Delegation and Protocol Transition. Even though the document (MS-SFU) does a great job in detailing the specification, not all implementers are familiar with the way in which Windows needs to be configured in order to be able to fulfill the requirements…


Windows Configurations for Kerberos Supported Encryption Type

   In one of my previous blog(http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx) , I have talked about how the encryption types of the various encrypted parts of the Kerberos exchanges are selected.  The selections of these encryption types are dependent on some Active Directory attributes and policy settings.    It is important to understand how these settings are configured from the…


Notes on Kerberos kvno in Windows RODC environment

This blog talks about key version number (kvno) in a read-only domain controller (RODC) environment. A previous blog introduced kvno in general. Here, I look at specifics in RODC environment. For a refresher, the kvno is a field of the EncryptedData structure (RFC4120 Section 5.2.9). It indicates the version number of the key used to encrypt…


Encryption Type Selection in Kerberos Exchanges

     The types of encryption used in various Kerberos exchanges are very important and sometime confusing aspects of the Kerberos implementation.  We not only need to understand the Kerberos RFC (RFC 4120, RFC 3961 etc) that specifies generally how the encryption types should be selected, but also the effects of Windows  Active Directory and registry…

3

Verifying the server signature in Kerberos Privilege Account Certificate

This blog post focuses on understanding how a server signature is verified in a Kerberos Privilege Account Certificate (PAC). A PAC contains two signatures: a server signature and a KDC signature. In a previous blog, I introduced PAC validation, whereby the server requests the KDC to verify the PAC. In this blog, I will talk…


To KVNO or not to KVNO, what is the version!?

  Shakespeare knew nothing about Kerberos V5… Nothing!  But, I still like him! And that, despite the fact that he had the audacity to paraphrase me in his play “Hamlet”. Of course no one believes me! I must admit it would be much easier to convince you about this historic truth if I had been…