Here are my notes on the Kerberos information security approach for single-sign-on authentication which originated from MIT.
KerbTray.exe from the Resource Kit lists and purges tickets. Its icon appears on the task bar.
KerbList.exe from the Resource Kit views and deletes the Kerberos tickets granted to the current logon session.
The UNIX kdestroy command erases tickets to prevent reuse.
Novell NetWare 5 Secure Authentication Services (SAS) provides an infrastructure for Kerberos-based user authentication. It is part of Novell's NetWare BorderManager Authentication Services 3 Enhancement Pack.
KRB_AS_REPThe Kerberos Authenication Service Reply contains two credentials:
KRB_TGS_REQThe Kerberos Ticket Granting Ticket Request is encrypted with the user's long-term key. It contains:
KRB_TGS_REPThe Kerberos Ticket Granting Ticket Reply contains:
KRB_AP_REQThe Kerberos Application Request contains:
KRB_AP_REPThe Kerberos Application Reply is encrypted with the service session key. It contains:
Session Keys are Short-Term Symmetric keys.
Enforcement of logon restrictions using Kerberos is determined by a Group Policy, which is set to "Yes" by default.
The starttime and endtime (expiration) which Tickets are valid are set based on a Group Policy
The Maximum lifetime that a user ticket can be renewed is by default 7 days.
By default, the Maximum lifetime for a service ticket is 60 minutes and 10 hours for a TGT.
By default, the Maximum tolerance for synchronization of computer clocks is 5 minutes.
NetDom, included in the Windows 2000 Server CD displays domain information and repairs corrupted transitive trust data.
To disable this feature, put value 1 in REG_DWORD: NoDefaultExempt in a registry setting added in Win2K SP1:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ IPSEC
Your first name:
Your family name:
Your location (city, country):
Your Email address:
Top of Page