Kerberos - Shon's vs Cybex

SirkassadSirkassad Member Posts: 43 ■■■□□□□□□□
For those that have Shon's AIO and the Sybex, please review the section on Kerberos as there are different explanations. The Sybex talks about the logon process involving encrypting the username with AES for transmission. This is the first I've heard of this. Other sources say the username is sent in plaintext.
I'm wondering which book offers the best explanation; I particularly would like to hear from the test takers :)

Comments

  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Why don't you just discover it yourself with network captures.

    AFAIR from my exercises AS-REQ sends the username in plain text, but you'd better not rely just on my memory... In ADDS there's a pre-authentication phase before that.

    AP exchanges are fully encrypted on the other hand.

    Also, the cipher is configurable, it's not necessarily AES, other ciphers could be in use, for example, back in the days of earlier Active Directory RC4 was used.
  • SirkassadSirkassad Member Posts: 43 ■■■□□□□□□□
    Why don't you just discover it yourself with network captures.

    AFAIR from my exercises AS-REQ sends the username in plain text, but you'd better not rely just on my memory... In ADDS there's a pre-authentication phase before that.

    AP exchanges are fully encrypted on the other hand.

    Also, the cipher is configurable, it's not necessarily AES, other ciphers could be in use, for example, back in the days of earlier Active Directory RC4 was used.

    Quick question- When the client wants to access another principle, it sends a TGT to the TGS for a service ticket. The question I have is - Does the TGS perform any access control to determine if the client has sufficient privileges to access the resource/principle, or is it the job of the resource/principle to control access?
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    AFAIR it doesn't do any access control, but I might be wrong here and too lazy to look it up again... It checks for service existence though via service principal name (SPN) in its database and if there's none the service ticket won't be created. It is an authentication protocol from what I remember, authorization is done by other controls.
Sign In or Register to comment.