Article ID: 266080
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q266080
SUMMARY
This article answers frequently asked questions about the Microsoft Windows 2000 implementation of the Kerberos V5 authentication protocol.
MORE INFORMATION
Question
Is the Windows 2000 Kerberos implementation interoperable with other Kerberos implementations?
Answer
The Windows 2000 implementation of Kerberos was developed based on the following RFCs:
Kerberos
http://www.ietf.org/rfc/rfc1510.txt?number=1510
GSSAPI Kerberos V5 Mechanism
http://www.ietf.org/rfc/rfc1964.txt?number=1964
Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that interoperability exists for a number of scenarios that are described in the following Windows 2000 Kerberos Interoperability whitepaper:
Interoperability testing has also occurred with Heimdal, CyberSafe, IBM and Sun implementations.
The Microsoft Windows 2000 Kerberos implementation is compliant with the following RFCs:
The Microsoft Windows 2000 implementation of Kerberos V5 does not contain support for Kerberos V4.
Question
How do I setup a cross-realm trust to a Windows 2000 domain?
Answer
The steps are outlined in the Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability:
Question
Does Windows 2000 support Kadmin?
Answer
No, Windows 2000 supports Lightweight Directory Access Protocol (LDAP) for account administration.
Question
What password changing protocol does Windows 2000 support for Kerberos clients?
Answer
Windows 2000 implements the Kerberos Change Password protocol as described in the Internet Draft draft-ietf-cat-kerb-chg-password-02.txt. This protocol is also implemented in MIT krb5-1.1.1.
Note A copy of the Internet Draft referenced above can be found in the sample file link at the bottom of this Web page link.
Question
How does Windows 2000 locate the Key Distribution Centers (KDCs)?
Answer
Windows 2000 clients use Domain Name System (DNS) SRV records to locate domain controllers in a domain, and they attempt to resolve the _ldap._tcp.dc._msdcs SRV records. Windows 2000 domain controllers also publish SRV records for _kerberos and _kpasswd services. The list of published SRV records can be found on a domain controller in the following file:
%Windir%\System32\Config\Netlogon.dns
Question
Does Windows 2000 support General Security Service Application Programming Interface (GSSAPI) (RFC-2743)?
Answer
Microsoft supports the Security Support Provider Interface (SSPI) which is semantically similar to the GSSAPI, but syntactically different. For additional information about SSPI, see the Microsoft Windows Platform SDK. The protocol used by Kerberos Security Support Provider (SSP) is the same as that used by the GSSAPI Kerberos5 mechanism defined in the following RFC:
Question
Does Windows 2000 support Krb5 Application Programming Interfaces (API)s?
Answer
No. The only Kerberos interfaces that Windows 2000 supports are through the SSPI and the LsaCallAuthenticationPackage() ticket interfaces documented in the Windows Platform SDK. The SSPI interfaces are equivalent to the Kerberos GSSAPI and produce an application that uses the GSSAPI/kerberos5 mechtype (RFC-1964) on the wire. The LsaCallAuthentication package interfaces provide a mechanism to retrieve tickets from the Kerberos ticket cache.
Question
What extensions did Microsoft make to Kerberos?
Answer
Microsoft has implemented the following extensions which are published as IETF Internet Drafts:
Kerberos Set Password protocol:
Question
What is in the Kerberos ticket authorization data?
Answer
The authorization data in the Kerberos ticket was intended by the following RFC authors to implement vendor-specific authorization data:
Windows 2000 uses this field to hold data specific to its distributed security mechanism. This is described in the Windows 2000 Server Distributed Systems Guide pages 667-669. Information on intended use of the authorization field is located in the following RFC:
Question
How does Windows 2000 keep system clocks synchronized?
Answer
Windows 2000 clients use the following version of Simple Network Time Protocol (SNTP):
Time synchronization uses Universal Time Coordinate (UTC) which is time zone independent. A computer determines its time source by following a complex algorithm involving sites, domains, PDC FSMO, and Reliable Time Servers. The time service is controlled by using the net time command. The act of joining a domain enables the Windows 2000 Time service so that it automatically starts at boot. When communicating with Windows 2000 computers, time packets are secured with a signed hash of the time information. Security is based on the Windows NT secure channel and signature key is determined by the machine account of the client.
Question
What encryption types does Windows 2000 support?
Answer
Windows 2000 supports the following encryption types:
RC4-HMAC
DES-CBC-CRC
DES-CBC-MD5
Kerberos Encryption Key Lengths:
Authentication | Signing | Privacy | |
---|---|---|---|
RC4-HMAC | 128 | 128 | 56 (128 w/ the High Encryption Pack installed |
DES-CBC-CRC | 56 | 56 | 56 |
DES-CBC-MD5 | 56 | 56 | 56 |
Question
How do I find out what Kerberos tickets I have?
Answer
The Kerberos tickets are kept in ticket cache by the LSA, and the cache is destroyed when the user logs out. Only the logged on user has access to the tickets in the cache. The Resource Kit utilities Klist.exe or Kerbtray.exe can be used to examine the tickets in the cache.
Question
Does Windows 2000 support Pkinit?
Answer
Windows 2000 Kerberos provides an implementation of Pkinit draft version 9. The specific use of Pkinit in Windows 2000 is constrained to supporting SmartCard logon. Pkinit has not been tested with other implementations since the release of Windows 2000.
Question
What are the default ticket lifetimes?
Answer
The default ticket lifetimes are controlled at the domain level by using domain policy. The defaults are:
- MaxServiceTicketAge: 10 hours
- MaxTicketAge: 10 hours
- MaxRenewAge: 7 days
- MaxClockSkew: 5 minutes
Question
What does Enforce Logon Restrictions mean?
Answer
There is a setting for the Kerberos policy called Enforce Logon Restrictions. With this setting enabled, every time a user uses a ticket-granting-ticket (TGT) to request a ticket, the account is checked to see if it is still valid. That would prevent a disabled account from obtaining new session tickets.
Question
How do I use delegation?
Answer
Delegation permits a service to act as the user with that user's access to network resources. This requires the client to forward a user's TGT to the service so that it can request tickets from a KDC on behalf of the user. Since the service is able to act as the user, it is important that the service be trusted before giving it your TGT. Windows 2000 has controls that can limit when a service provides a user's TGT when delegation is requested.
The Kerberos revisions Internet Draft specifies a new ticket flag - "OK as delegate". The Windows 2000 KDC sets this flag in service tickets that have the Trusted for delegation account control flag set. If the service ticket has the OK as delegate flag set, then the SSPI forwards the user's TGT to the service if the SSPI program requested delegation. If the ticket flag is not set, then the SSPI delegation flag is ignored and the TGT is not forwarded.
If you are running with a KDC that does not set the ticket flag, you can set the RealmFlags in the registry configuration for the external realm to trust the realm for delegation. Setting the RealmFlags flag to a value of 4 enables this feature.
For additional information about the RealmFlags registry setting, see the Windows 2000 Registry Reference (Regentry.chm) included in the Windows 2000 Resource Kit.
Question
Does Windows 2000 support SPNEGO (RFC-2478)?
Answer
Yes. The Negotiate SSP implements SPNEGO. The Negotiate SSP is the common default package that most programs use in Windows 2000.
Question
Are Telnet and File Transfer Protocol (FTP) clients in Windows 2000 Kerberized?
Answer
The Telnet and FTP services in Windows 2000 do not use Kerberos for authentication.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Keywords: kb3rdparty kbfaq kbinfo kbkerberos KB266080