Authentication / Authorization - Chapter 1 - Darril's Book

I just finished chapter 1 of Darril's book and I'm still not sure I understand the relationships between authentication/authorization in a Windows LAN environment. I created the diagram below.

I think I got the RAS nailed. A remote PC contacts a RAS Server (VPN Concentrator in this diagram) and uses PAP, CHAP, MS-CHAP, or MS-CHAP v2 protocols to exchange authentication information with the VPN Concentrator. The VPN Concentrator can either have a local database or proxy the request to a RADIUS or TACACS+ (Cisco Only) server.

However, when we look at the LAN and Kerberos, the relationships are not so clear and I've attempted to diagram how it is looking in my mind. As I have it, a local machine goes to the Kerberos server for a ticket which it can then submit to other servers/resources. The Kerberos server only authenticates and does not authorize. For that functionality, the Kerberos server can use either a Win AD server (domain controller), LDAP, or TACACS+. The Windows AD server could actually proxy to an LDAP server itself as well. Do I have this right?

Or is it the case that Kerberos simply issues the tickets and then the user presents that ticket to each of the resources it needs and authorization is done at that time via whatever means the resource uses to authorize?

Thanks

Carl S.

Check out my personal certification journey blog
Carl's Certification Journey | The road to getting certified can often be bumpy

Chapter 1 Authentication Diagram.jpg

Find more posts tagged with

Comments

Darril

Carl_S_901 wrote: »

I just finished chapter 1 of Darril's book and I'm still not sure I understand the relationships between authentication/authorization in a Windows LAN environment.

The basics are worth repeating for the Security+ exam.

Authentication proves who you are.

Authorization allows access to resources based on who you are.

If users do not authenticate, then everyone is anonymous and you are only able to grant access to everyone or not. You can't grant access to some users and not to others.

Carl_S_901 wrote: »

However, when we look at the LAN and Kerberos, the relationships are not so clear and I've attempted to diagram how it is looking in my mind. As I have it, a local machine goes to the Kerberos server for a ticket which it can then submit to other servers/resources. The Kerberos server only authenticates and does not authorize. For that functionality, the Kerberos server can use either a Win AD server (domain controller), LDAP, or TACACS+. The Windows AD server could actually proxy to an LDAP server itself as well. Do I have this right?

Or is it the case that Kerberos simply issues the tickets and then the user presents that ticket to each of the resources it needs and authorization is done at that time via whatever means the resource uses to authorize?

It's the latter, sort of. Kerberos is an authentication protocol and only issues tickets for authentication.

In Windows, a domain controller is an LDAP server, and a Kerberos server all rolled into one.

Kerberos starts with a time-stamped ticket-granting ticket encrypted with symmetric encryption (AES). This is issued to a user when the user first authenticates. When a user wants to access a resource, an additional ticket (a session ticket) is requested and issued for this resource. The session ticket ensures that the user is still authenticated and packets haven't been intercepted and manipulated to impersonate the user (such as in a replay attack).

In my SSCP book, I laid out the details of the Kerberos authentication process in six steps. However, this is more detail than you need for the Security+ exam.

If you want to dig deeper into Kerberos, here are a couple of links.
Basic Overview of Kerberos User Authentication Protocol in Windows 2000
It shows the process for Windows 2000, but is relevant as an overview for the current version (Kerberos V5).
This shows some enhancements in Windows.
Kerberos Enhancements

Carl_S_901 wrote: »

I think I got the RAS nailed. A remote PC contacts a RAS Server (VPN Concentrator in this diagram) and uses PAP, CHAP, MS-CHAP, or MS-CHAP v2 protocols to exchange authentication information with the VPN Concentrator. The VPN Concentrator can either have a local database or proxy the request to a RADIUS or TACACS+ (Cisco Only) server.

Another way you can look at RAS authentication is by redrawing your first diagram to include three back-end servers, instead of only two. The third server is a Kerberos server and either RADIUS or TACACS+ can use Kerberos for authentication. They can also use other authentication database sources, so Kerberos as the third server is optional.

HTH

Carl_S_901

Darril wrote: »

In Windows, a domain controller is an LDAP server, and a Kerberos server all rolled into one.

Thanks for the clarification.

I was thinking of Kerberos as a dedicated standalone server even though I had seen "Protocol" numerous times when looking into. Several sources I looked at didn't help clarify this. Technically, it probably could be a standalone server but would be a big waste in that regard.

Sounds like we are just really talking about a service. The KDC is just a service running on a domain controller and handles AS and TGS functions.

Darril

It may be a standalone server in a Kerberos Realm, but my experience with it is in Microsoft domains running on domain controllers.

Kerberos is actually quite deep. I most often see it referred to as a protocol but I also see it mentioned as a protocol, a service, and a suite of protocols. RFC 4120 (http://www.ietf.org/rfc/rfc4120.txt) is titled Kerberos Network Authentication Service, but describes it as a protocol and a process.

I looked at a Microsoft Domain Controller and see that it is running a "Kerberos Key Distribution Center" service and the description says it allows users to log on using the Kerberos authentication protocol.

I also looked at some notes I have related to CISSP which affirms your summary of a KDC handling AS and TGS functions.

Key distribution center (KDC) - provides authentication services
Kerberos authentication server (KAS) - hosts the functions of the KDC, ticket-granting service (TGS), and an authentication service (AS). It verifies or rejects the authenticity and timeliness of tickets.

HTH

yozballerz

sorry i was a student IT network .. I'm undergoing the task of making the final level with a medium of learning about the TACACS + uses of flash player .. if there is a master at this forum that can help make?? or can help me in finding material on the TACACS + I need .. thanks a lot .. please help