Authentication Protocols

Previous page
Table of content
Next page

Windows 2000 Server and Windows XP Professional support several protocols for verifying the identity of users who claim to have accounts on the system. These include protocols for authenticating dial-up connections and protocols for authenticating external users who try to connect to the network over the Internet. However, the following authentication protocols are the primary choices for network authentication between Windows NT 4.0, Windows 2000, and Windows 2000 Server domains, and Windows XP Professional based clients:

  • Kerberos V5 protocol. The default authentication protocol for Windows 2000 and Windows XP Professional.

  • NTLM protocol. The default authentication protocol in Windows NT 4.0.

Even though the Kerberos V5 authentication protocol is the default for Windows 2000 Server and Windows XP Professional, both the network domain controllers and the client computers must be running Windows 2000 or Windows XP Professional for Kerberos authentication to be used. The alternative NTLM protocol is used for authentication if the following conditions exist:

  • Computers running Microsoft Windows 3.11, Microsoft Windows 95, Microsoft Windows 98, or Windows NT 4.0 use the NTLM protocol for network authentication in Windows 2000 domains.

  • Computers running Windows 2000 Professional or later or Microsoft Windows 2000 Server or later use the NTLM protocol to authenticate to servers running Windows NT 4.0.

  • Computers running Windows 2000 Professional or later and Windows 2000 Server or later use the NTLM protocol to authenticate when they are not participating in a domain. That is, when they operate as stand-alone computers or as part of a workgroup.

Protocol Selection

The following processes determine whether the Kerberos or NTLM protocol is used to complete the network authentication process:

  1. After the user name and password are entered, the LSA passes this information to the Security Support Provider Interface (SSPI), an interface that communicates with both the Kerberos and NTLM services.

    Tip 

    SSPI also allows developers to write security-aware applications whether the Kerberos or NTLM protocol is used.

  2. SSPI passes the user name and password to the Kerberos Security Support Provider (SSP), which exchanges messages directly with the domain s Kerberos Key Distribution Center (KDC). The Kerberos SSP determines whether the target computer name is the local computer or the domain name.

  3. If the domain name is referenced, and the KDC recognizes the user name, the Kerberos authentication process proceeds.

  4. If the user name is not recognized, the KDC passes an internal error message to the SSPI. If a KDC cannot be found, the following message (transparent to the user) is passed back to the LSA:

    No logon server available.

  5. The internal error message triggers the process to start over again. MSGINA passes the information to LSA again, and then LSA passes the information back to SSPI.

  6. SSPI then passes the user name and password to the NTLM driver, MSV1_0 SSP. MSV1_0 then uses the Net Logon service to complete the NTLM authentication process.

If both the Kerberos and NTLM protocols fail to authenticate the user account, the following error message appears, and the user can try to log on again:

"The system could not log you on. Make sure your User name and domain are correct, then type you password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on."
Note 

The same error message appears whether the password is typed incorrectly or the user name is not in the local SAM database. This is done to make it more difficult for an intruder to determine the reason that the logon attempt failed.

NTLM

The NTLM protocol authenticates users and computers based on a challenge/response mechanism. When the NTLM protocol is used, a resource server must contact a domain authentication service on the domain controller for the computer or user s account domain to verify its identity whenever a new access token is needed.

Note 

In the absence of a domain, the NTLM protocol can also be used for peer-to-peer authentication.

NTLM authentication in Windows 2000 and Windows XP Professional supports the following three methods of challenge/response authentication:

  • LAN Manager (LM). The least secure form of challenge/response authentication that is supported by Windows XP Professional, (but more secure than cleartext). LM is available so that computers running Windows XP Professional can connect to file shares on computers running Microsoft Windows for Workgroups, Windows 95, or Windows 98.

  • NTLM version 1. A more secure form of challenge/response authentication than LM. It is available so that computers running Windows XP Professional can connect to servers in a Windows NT domain that has at least one domain controller running Windows NT 4.0 Service Pack 3 or earlier.

  • NTLM version 2. The most secure form of challenge/response authentication that is supported by Windows XP Professional. It is used when computers running Windows XP Professional connect to servers in a Windows NT domain where all domain controllers are upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when computers running Windows 2000 or Windows XP Professional connect to servers running Windows NT in a Windows 2000 domain. In addition, computers running Windows 95 or Windows 98 can use this form of challenge/response authentication if the Directory Service Client Pack has been installed.

By default, all three challenge/response mechanisms are enabled so that clients running Microsoft Windows for Workgroups, Windows 95, or Windows 98 can access network resources. You can disable authentication that uses weaker variants by setting the LAN Manager authentication level security option in Local Security Policy\Computer Configuration\Windows Settings\Local Policies\Security Options or in the appropriate security template. If you do so, however, computers that rely on the weaker variants for authentication might not be able to access network resources.

For more information about configuring the LAN Manager authentication level, see Account Policies later in this chapter.

Interactive Logon with NTLM

The following process, shown in Figure 15-3, is essentially the same on any version of NTLM you use:

  1. The user presses CTRL+ALT+DEL, which is the Secure Attention Sequence (SAS) on computers that have a standard Windows XP Professional configuration. Winlogon calls a replaceable Graphical Identification and Authentication (GINA) dynamic-link library (DLL) to display a logon user interface.

  2. After the user enters a user name and password, Winlogon sends the information to the LSA.

  3. If the user s account is local to the computer, the LSA uses the MSV1_0 authentication package to compare the user s logon information with data in the computer s SAM database. If the user is not local to the computer, the LSA validates the user s credentials by using the MSV1_0 authentication package and Net Logon service to query the SAM on a Windows NT domain controller.

  4. If the user s logon name and password are valid, the SAM communicates this information back to the LSA, along with the user s security identifier (SID) and the SIDs that apply to any groups that the user belongs to. The LSA uses this information to create an access token that includes the user s SIDs.

  5. Winlogon starts the user s shell with the token attached.

    click to expand
    Figure 15-3: NTLM logon process

Kerberos V5 Authentication Protocol

The Kerberos V5 protocol provides a means for mutual authentication between a client, such as a user, computer, or service, and a server. This is a more efficient means for servers to authenticate clients, even in the largest and most complex network environments. The Kerberos protocol is based on the assumption that initial transactions between clients and servers take place on an open network an environment in which an unauthorized user can pose as either a client or a server and intercept or tamper with communication between authorized clients and servers. Kerberos V5 authentication also provides secure and efficient authentication for complex networks of clients and resources.

The Kerberos V5 protocol uses secret key encryption to protect logon credentials that travel across the network. The same key can then be used to decrypt these credentials on the receiving end. This decryption and the subsequent steps are performed by the Kerberos Key Distribution Center (KDC), which runs on every domain controller as part of Active Directory.

An authenticator a piece of information such as a time stamp that is different each time it is generated is included with the encrypted login credentials to verify that previous authentication credentials are not being reused. A new authenticator is generated and incorporated with the KDC s encrypted response to the client to confirm that the original message was received and accepted. If the initial logon credentials and the authenticator are accepted, the KDC issues a ticket-granting ticket (TGT) that is used by the LSA to get service tickets. These service tickets can then be used to access network resources without having to re-authenticate the client as long as the service ticket remains valid. These tickets contain encrypted data that confirms the user s identity to the requested service. Except for entering an initial password or smart-card credentials, the authentication process is transparent to the user.

Interactive Logons Using Kerberos Authentication

The Kerberos authentication process was designed to be more secure and scalable across large, diverse networks than NTLM authentication. The Kerberos authentication process includes the following actions:

  1. The user presses CTRL+ALT+DEL, the SAS on computers that have a standard Windows XP Professional configuration. Winlogon calls a replaceable Graphical Identification and Authentication (GINA) dynamic-link library (DLL) to display a logon user interface.

  2. After the user enters a user name and password, Winlogon sends the information to the LSA.

  3. When the logon request reaches the LSA, it passes the request to the Kerberos authentication package. The client sends an initial authentication request (AS_REQ), which includes the user s credentials and an encrypted timestamp to the KDC. This is a request for authentication and a TGT.

    Note 

    The logon request uses the principal name of krbtgt@ domain_name, where domain_name is the name of the domain in which the user account is located. The first domain controller in the domain generates the krbtgt@ domain_name account.

  4. The KDC uses the secret key to decrypt the timestamp and issues a TGT to the client. This TGT (AS_REP) contains a session key, the name of the user to whom the session key was issued, the maximum lifetime of the ticket, and any additional data fields or settings that might be required. The AS_REP is encrypted in the user s key and returned to the user. The ticket is encrypted in the KDC s key and enclosed in the AS_REP. The authorization data portion of the TGT contains the SID for the user account and SIDs for any global and universal groups to which the user belongs.

    Note 

    The SIDs are returned to the LSA for inclusion in the user s access token. The maximum lifetime of a ticket is defined by the domain policy. If a ticket expires during an active session, the client requests a new ticket.

  5. When the user attempts to access a resource, the client system uses the TGT to request a service ticket (TGS_REQ) from the Kerberos ticket-granting service on the domain controller (see Figure 15-4). The TGS then issues a service ticket (TGS_REP) to the client. This service ticket is encrypted using the server s secret key. The SIDs are copied by the Kerberos service from the TGT into all subsequent service tickets obtained from the Kerberos service.

    Note 

    This TGS session uses a separate session key than the earlier TGT transaction.

  6. The client presents this service ticket directly to the requested network service. The service ticket proves both the user s identity and permissions to the service, and the service s identity to the user.

    click to expand
    Figure 15-4: Logon process using the Kerberos V5 authentication protocol

For more information about Kerberos V5 authentication, see Logon and Authentication in the Distributed Systems Guide. For more information about configuring the Kerberos V5 authentication service, see Account Policies later in this chapter.

Kerberos Ticket Cache

Windows stores tickets and keys obtained from the KDC in a credentials cache, an area of memory protected by the LSA. Only processes running in the LSA s security context have access to the cache. Its memory is never paged to disk. All tickets and keys are stored per user logon session, which means that they are destroyed when a security principal logs off or the system is turned off.

The credentials cache is managed by the Kerberos SSP, which runs in the LSA s security context. Whenever tickets and keys must be obtained or renewed, the LSA calls the Kerberos SSP to accomplish the task.

The credentials cache is also used to store a copy of an interactive user s password-derived key. If the user s TGT expires during a logon session, the Kerberos SSP uses its copy of the key to obtain a new TGT without interrupting the user s logon session. The key is not stored permanently on the computer, and the local copy in the credentials cache is destroyed when the credentials cache is flushed.

Password-derived keys for services and computers are handled differently. They are stored in a secure area of the computer s registry just as they are in Windows NT. Password-derived keys for user accounts on the local system, which are used only for access to computers in stand-alone mode, are also stored in the registry. These keys are never used for network access.

Kerberos Interoperability

The Windows 2000 implementation of the Kerberos V5 protocol supports Internet Engineering Task Force (IETF) standard RFC 1510 to help ensure interoperability with other vendors implementations of Kerberos V5 authentication. This interoperability allows single sign-on to be provided within large mixed environments.

Applications or other operating systems based on the Generic Security Service Application Program Interface (GSSAPI) can obtain service tickets from a Windows 2000 Server domain. A Windows 2000 Professional, Windows 2000 Server, or Windows XP Professional client likewise can authenticate to a third-party Kerberos KDC for authentication.

A Kerberos realm is not a Windows domain. As a result, the computer running Windows XP must be configured as a member of a workgroup and it must be configured to locate the Kerberos realm by its name. A Windows XP Professional client that uses a non-Windows Kerberos V5 realm must be configured to locate the realm, available KDC servers, and available Kerberos password servers.

Note 

Kerberos V5 configuration tools are available on the Windows distribution media in the Support folder.

You can use the command-line tool Ksetup to configure Windows XP Professional clients to use a third-party Kerberos V5 KDC.

To enable user logon to a non-Windows Kerberos realm

  1. In the Run dialog box, type cmd, and then click OK.

  2. At the command line, type:

    ksetup /addkdc REALM.MYDOMAIN.COM kdc.realm.mydomain.comksetup /addkdc REALM.MYDOMAIN.COM kdc-master.realm.mydomain.com

    This configures the computer to use two KDCs for the realm REALM.MYDOMAIN.COM.

  3. If the Kerberos realm supports the Kerberos change password protocol, then the kpasswd servers can be configured. This will allow the user to change their password after they press CTRL+ALT+DEL. To configure the kpasswd server, at the command line, type:

    ksetup /addkpasswd REALM.MYDOMAIN.COM kdc-master.realm.mydomain.com
    Note 

    Windows XP can also locate the KDC and kpasswd servers based on the DNS SRV records if no KDCs or kpasswd entries exist for the configured realm.

  4. The computer needs to have a local account that is authorized with the interactive logon right to the appropriate Kerberos principal. To map a local account with the username alice, at the command line, type:

    ksetup /mapuser alice@REALM.MYDOMAIN.COM username

    This maps the local account alice to the Kerberos principal alice@REALM.MYDOMAIN.COM . When the user alice@REALM.MYDOMAIN.COM logs on to the computer, the local identity alice is used for access control and to locate a user profile.

    Note 

    It is best not to trust all users to access your computer. If no mapping exists for a particular user, they cannot log on.

  5. If you want to grant guest access to any users, an explicit mapping for the guest account needs to be set up and the guest account must be enabled. To map the guest account, at the command line, type:

    ksetup /mapuser * guest

  6. Restart the computer in order to implement your changes.

You might also want to enable Windows XP Professional users to access services by presenting the Kerberos credentials associated with their mapped identities.

To enable Kerberos authentication for services

  1. In the Run dialog box, type cmd, and then click OK.

  2. Because a Kerberos realm is not a Windows domain, the computer running Windows XP Professional must be configured as a member of a workgroup and the computer configured to locate the Kerberos realm by its name. To do this, at the command line, type:

    ksetup /addkdc REALM.MYDOMAIN.COM kdc.realm.mydomain.com 
     ksetup /addkdc REALM.MYDOMAIN.COM kdc-master.realm.mydomain.com

    This configures the computer to use two KDCs for the realm REALM.MYDOMAIN.COM configuration.

  3. Configure the computer to authenticate to the realm in which the computer s host service principal was created. To accomplish this, create a new KDC entry by typing:

    ksetup /setrealm REALM.MYDOMAIN.COM

  4. Configure the computer s password so that it corresponds to the host service principal created for the computer in the Kerberos realm. At the command line, type:

    ksetup /setmachpassword the-password

  5. To set up mappings for users to control explicit access, at the command line, type:

    ksetup /mapuser alice@REALM.MYDOMAIN.COM alice

    This will map the Kerberos principal alice@REALM.MYDOMAIN.COM to the local account alice . You can use the local account alice on access control lists on resources or local groups on the computer to grant or deny access to specific resources.

    Note 

    If no mapping exists for a Kerberos principal, the user will be anonymous and will be able to access any resource for which anonymous access is allowed.

  6. Restart the computer.



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
High-Speed Signal Propagation[c] Advanced Black Magic
Lotus Notes and Domino 6 Development (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
Data Structures and Algorithms in Java
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy