M$ Kerberos token non-authenticated question

DragonNOA1

When you log into a domain you get a TGT so that you can communicate with other member servers. If you don't log into the domain and instead log in locally then try to go directly to the member server, how do you authenticate w/o the TGT/service ticket from the DC? When you are prompted for credentails are you actually being asked by the DC b/c you were redirected from the member server? If so wouldn't you be authenticated for the whole domain and wouldn't have to log in to subsequent member servers?

Follow me?

sprkymrk

The TGT is cached on the local machine when you log in to the domain.

When you access a network resourse after logging in to a computer with a local account you are prompted by that server for authentication. You could just as easily use a local server account rather than a domain account. Once you specify a domain\userid and password, the server checks with a DC to verify the information is correct. This does not get cached to your computer. I believe it does get cached on the remote server though, so you can traverse different directories as long as you don't disconnect or time out.

DragonNOA1

But doing it that way isn't using kerberos, right?

Treg

Think that depends if your using an IP or DNS name.

sprkymrk

DragonNOA1 wrote:

But doing it that way isn't using kerberos, right?

I'd have to look into it. It might fall back to NTLM authentication that way.

royal

One benefit of being a part of the domain is single sign on which is another discussion all by itself. When not being a domain member, authentication works like OWA would. You connect via OWA, and OWA will actually use RPC to authenticate the client to a Domain Controlller. If you are not a domain member and try to authenticate to a DC, you will authenticate via RPC and it will grant you access. I'm not sure of the nitty gritty details behind this, but know the general concept. I'm not 100% sure about this, however.

sprkymrk

What I have found so far is Windows XP or higher implements the Kerberos V5 authentication protocol as a Security Support Provider (SSP), a dynamic-link library (DLL) supplied with the operating system. It includes an SSP for NTLM authentication as well. By default, both SSPs are loaded by the Local Security Authority (LSA) on a Windows computer when the system boots. The system can use either SSP to authenticate network logons and client/server connections. Which SSP is used depends on the capabilities of the computer on the other side of the connection and the preferences of the individual application that is being used. Generally Kerberos is default, and NTLM is second.

The tickets and keys obtained from the KDC (domain controller) are stored in a credentials cache, an area of volatile memory protected by the LSA. The credentials cache is never paged to disk. All objects stored there are gone when a user logs off or when the system is shut down.

Users can log on to computers with either a domain account or an account local to the computer. When the user logs on with an account local to the computer, the user's credentials are authenticated using the local account database. Because the local computer does not act as a KDC, and because local logon does not require network access (for example, to contact a KDC), local authentication uses NTLM to authenticate the account.

So for instance if a user tries to access a network share to \\server\share after logging into a computer with a local account kerberos will fail because there is no trust. The system automatically reverts to the next security provider, typically NTLM. If NTLM authentication is successful, the user will connect, but Kerberos authentication will not have been used.

royal

Excellent writeup Mark and thanks for the information!

DragonNOA1

Yes good stuff there. And sorry to sound stupid here but would using NTLM be less secure than using Kerberos? I'm pretty clear on how Kerberos works but I don't know much about NTLM.

sprkymrk

DragonNOA1 wrote:

Yes good stuff there. And sorry to sound stupid here but would using NTLM be less secure than using Kerberos? I'm pretty clear on how Kerberos works but I don't know much about NTLM.

That's not stupid at all. Yes, NTLM is generally left over from the W9x and NT days. However, you can specify through the registry or Local Security Policy what versions of NTLM are used. In a strict W2K or higher AD environment, you can set clients to use NTLMv2 Response only.

Check out this link for a lot of good information on security settings, including Lan Manager Authentication levels:

http://support.microsoft.com/kb/823659

Scroll down to #10. Network security: Lan Manager authentication level

sprkymrk

icroyal wrote:

Excellent writeup Mark and thanks for the information!

Your welcome. I meant to include the links for all that since it took me a while to google it, but I'm still not used to IE7 and I closed all the tabs. There were a lot. Yes, I know it asks you if you want to close all the tabs...