Jan 28, 2005

Kerboros Authentication in Windows 2000/2003 Environment

logging on
1. both DC and workstation use the same one-way algorithm to encrypt authenticator
2. user logs on workstation, the workstation composes two authenticators, one un-encrypted, one encrypted by the algorithm in step 1 using typed password as a key
3. workstation sends these two authenticators to DC
4. DC descrypts the encrypted authenticator, if the user has typed in a correct password in step 2, then DC will have a decrypted version of authenticator that is the same as the other copy sent by workstation in step 3
5. now the DC checks the timestamp against its authenticator history list, if it finds a match, then the log on is rejected
6. DC generates two TGTs that contain session key. One TGT is encrypted with a user's encrypted passwod, the other encrypted by DC's private key. TGT contains this user's Security Token(user's SID and its group's SID's)
7. DC sends two copies of encrypted TGTs to workstation, workstation stores both in non-paged pool memory
8. log on process finishes

Accessing Resources
9. user/workstation wants to access a resource on another server
10. workstation gets the session key from TGT
11. workstation generates a "request ticket", encrypts it with session key
12. workstation sends the encrypted request ticket (from step 11) to KDC
13. workstation also sends a TGT back to KDC, KDC decrypts TGT with its own private key to get the session key from TGT
14. KDC now can use session key to decrypt the request ticket
15. KDC generates a new ticket (two copies) that contains the user's Security Token and a random key. one is encrypted with session key, the other is encrypted with the resource server's password (let's call them Access Ticket)
16. KDC sends two copies of new tickets back to workstation.
17. workstation decrypts one copy by using session key, and gets the random key(from step 15)
18. workstation composes a Resource Request, encrypts it with the random key
19. workstation then sends the other Access Ticket and the Resource Request to the target serverNote. because only the target server knows the password to decrypt the Access Ticket, the client is assured of a connection to its intended server. this is another advantage of Kerboros
20. the resource server uses its own password to decrypt the Access Ticket, gets the random key from Access Ticket
21. the resource server uses the random key to decrypt the Resource Request
22. the resource server process the Resource Request normally (checking the permissions against the Security Token)
Additional Reading
TechNet Home>Products&Tech>Server Operating Systems>Windows 2000 Server>Deploy>Configure Specific Features>Windows 2000 Kerberos Authentication
An very good article includes not only windows-specific kerberos info, but also a general briefing of how Kerberos was developed/why it's developed this way