Summary of Exam Objectives | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Windows 2000 supports several authentication protocols, including Windows NTLM, Kerberos v5, Distributed Password Authentication, Extensible Authentication Protocol, and Secure Channel. The two protocols used for network authentication, for logging on locally or as an interactive user, are NTLM and Kerberos v5. Kerberos is the default authentication protocol used in Windows 2000; NTLM is provided for backward compatibility and is used to authenticate Windows 2000 member and standalone servers.

Kerberos provides several advantages over NTLM, which was the authentication protocol of choice in previous versions of Windows NT. One of the advantages Kerberos provides is mutual authentication wherein the client can also verify the server's identity. Another advantage is that Windows 2000 Kerberos domains can communicate with Kerberos realms of other implementations of Kerberos. This cannot be accomplished with NTLM, which is proprietary to Microsoft operating systems.

Kerberos is made up of several components, including the KDC, session tickets, and TGTs. The KDC comprises two services: the AS and the TGS. Three subprotocols Kerberos uses are the AS Exchange, the TGS Exchange, and the Client/Server Exchange.

Microsoft implements its own flavor of Kerberos in Windows 2000. Microsoft Kerberos adds extensions to the Kerberos standard to meet specific requirements necessary for Windows 2000, such as the ability to use public key certificates instead of the normal shared key to log on to Windows 2000 domains. Microsoft implements the KDC as a service in Windows 2000, and the service is automatically installed on all domain controllers. Microsoft Kerberos stores the PAC in tickets. The PAC consists of the user's SID as well as group SIDs for the groups of which the user is a member. The PAC is extracted after the server authenticates the user's identity. The server then uses the PAC to create an impersonation token for access to the service the client has requested to use.

Trusts between Windows 2000 domains within a forest are automatic, two-way and transitive. This is a vast improvement over Windows NT 4.0 trusts. which had to be created manually and were only one-way. Two types of manual trusts can be created if needed: shortcut trusts (used to directly connect two trusting child domains or root-level domains to make searches and other directory services features faster) and external trusts (used to connect to Windows NT 4.0 domains and external Kerberos realms). Trusts can be created manually with the Netdom command or from the Active Directory domains and trusts console.