Kerberos Protocol

    Authentication in Microsoft domain networks has traditionally been done using NTLM or Kerberos protocol. Kerberos protocol is a more secure authentication mechanism than NTLM which also overcomes the well-known double hop issue associated with NTLM.

    Microsoft's implementation of the Kerberos protocol involves three parties – client, server and the Key Distribution Center (KDC). The client and server referred above are also known as Service Principals. An essential pre-requisite for Kerberos to work is that target services in the conversation must have had their Service Principal Names (SPN) registered. An SPN comprises of the following format: [service class] / [host] : [port]/[service name] . Service class represents the type of service (well known examples being HOST, HTTP), host is the fully-qualified DNS name or the NetBIOS name of the host. Port and service name are optional fields. An example of a SPN entry would be: HTTP/3rdRock where the service class is HTTP and the host is 3rdRock.

A few points to note about SPN's:

• A SPN must be registered only for one service account. We cannot have the same SPN to be registered under different service account.

  E.g.: Following registration will result in the second SPN to be active.

  http/server1 redmond\account1

  http/server1 redmond\account2

• For a service behind a load balancer, services in all the servers should be configured to use same account.

• It is generally a good idea to create the SPN for both the FQDN as well as the NetBIOS name

http/server1 redmond\account1

http/server1.redmond.corp.microsoft.com redmond\account1

• Currently some Kerberos clients do not construct the SPN correctly if the service is configured to be listening on a non-default port. https://support.microsoft.com/kb/908209/en-us

Kerberos Domain Controller (KDC), running on a Windows Domain Controller, serves as the trusted third party, and performs two service functions: Authentication Service (AS) and Ticket Granting Service (TGS).

    The following is a simplified view of the authentication process:

Client (Joe) sends a request to the AS asking for a TGT (which will later help to authenticate to the service). AS responds by sending a TGT along with additional information encrypted with client master key (password hash). Client decrypts the additional information to extract a session key (which will be used for further communication with KDC). When client wants to access a service (Kerberos enabled site), it sends a request for service ticket to TGS constructing the SPN for the service along with the TGT (received in Step 2). TGS decrypts the TGT to extract the session key and validate the client. TGS prepares the service ticket for SPNs and encrypts using service master key, which is the key for the service account of the target service. Client receives the response and sends service ticket to the service (web server). Service uses its master key to decrypt the ticket and extract the session key. Service uses this session key to authenticate the client and sends an appropriate response.

Handy tools to help you with Kerberos:

• setspn: Command line tool to set and verify SPN entries. It is available with default installation of Windows Server 2008 (For Windows Server 2003: Windows Server 2003 Service Pack 1 Support Tools)
• ldp.exe: GUI tool to verify constrained delegation. It is available with default installation of Windows Server 2008 once the Active Directory Domain Services role is added (For Windows Server 2003: Ldp overview and download). Also refer here for help with the tool. To verify CD, your search filter for this tool might look like: (&(objectClass=user)(sAMAccountName=[service name])) 
• klist: Command line tool to view all the kerberos tickets (cached)
• netmon: Can't get any better than this. Put up a network sniffer to troubleshoot any issues with Kerberos

A few other good resources to learn about Kerberos Protocol:

1. Kerberos Authentication in Windows Server 2003: One stop source to learn, plan and deploy Kerberos authentication in a Windows Server 2003 environment.
2. Designing Secure Web-Based applications for Microsoft Windows 2000, Michael Howard: Even though the title of the book suggests it is for Windows 2000, chapter 14: An Introduction to Kerberos Authentication in Windows 2000, is one of the best primer for anyone who wants to know the basics of Kerberos in a Windows environment.
3. How to troubleshoot Kerberos-related issues in IIS: A good start point to get help in troubleshooting Kerberos-related issues