|
|
Windows 2000 supports five methods of authenticating user identity:
Windows NTLM
Kerberos v5
Distributed Password Authentication (DPA)
Extensible Authentication Protocol (EAP)
Secure Channel (Schannel)
Windows 2000 uses only NTLM and Kerberos for network authentication. DPA, EAP, and Schannel are for authentication over dial-up connections or the Internet.
Windows NT 4.0 uses Windows NTLM as the default network authentication protocol. For that reason, NTLM is still available in Windows 2000 to maintain backward compatibility with previous versions of Microsoft operating systems. It is also used to authenticate logons to Windows 2000 standalone computers.
Kerberos is the default network authentication for Windows 2000. Kerberos is a widely used authentication protocol based on an open standard. All Windows 2000 computers use Kerberos v5 in the network environment, except in these situations:
Windows 2000 computers use NTLM when they authenticate to Windows NT 4.0 servers
Windows 2000 computers use NTLM when they access resources in Windows NT 4.0 domains
Windows 2000 domain controllers use NTLM when authenticating Windows NT 4.0 clients
Logging in locally to a Windows 2000 domain controller
NTLM suffers in comparison to Kerberos for several reasons:
Authentication with NTLM is slower than with Kerberos
NTLM performs one-way authentication only, which allows server spoofing
NTLM trusts are one-way and non-transitive and thus harder to manage
NTLM is proprietary and not compatible with non-Microsoft networks
Kerberos operates on the assumption that the initial transactions between clients and servers are done on an unsecured network.
Kerberos depends on shared secrets to perform its authentication.
An authenticator is unique information encrypted in the shared secret.
The KDC, the trusted authority used in Kerberos, maintains a database with all account information for principals in the Kerberos realm. A principal is a uniquely named entity that participates in network communication; a realm is an organization that has a Kerberos server.
Another key used with the KDC is the session key, which the KDC issues when one principal wants to communicate with another principal. For example, if a client wants to communicate with a server, the client sends the request to the KDC, and the KDC in turn issues a session key so that the client and server can authenticate with each other. Each portion of the session key is encrypted in the respective portion of the long-term key for both the client and server.
The KDC service runs on every Windows 2000 domain controller. This eliminates a single point of failure for the KDC service (unless, of course, you only have one domain controller).
Policy for Kerberos in Windows 2000 is set at the domain level through the Default Domain Policy group policy object.
Unlike standard Kerberos, which supports two methods of delegation (proxiable tickets and forwardable tickets), Microsoft Kerberos supports forwardable tickets only.
Kerberos verifies user's identities, but does not authorize which resources they can use.
The authorization data field in a Microsoft Kerberos ticket contains a list of user SIDs and group SIDs for the user.
An access token is created after the credentials in a session ticket have been verified. This information is used to construct an impersonation token for accessing services on the server. The impersonation token is presented to the service, and as long as the information presented matches the ACL for the service, access is granted.
In order for users in one Windows NT domain to access resources in another, administrators of the two domains had to set up an explicit trust relationship. These trusts were one-way; if the administrators wanted a reciprocal relationship, two separate trusts had to be created because these trusts were based on the NTLM security protocol, which does not include mutual authentication.
In Windows 2000 networks, with the Kerberos protocol, all trust relationships are two-way, transitive and an implicit, automatic trust exists between every parent and child domain; it is not necessary for administrators to create these trusts. This transitive state comes about through the use of the Kerberos referral; as a result, every domain in a tree implicitly trusts every other domain in that tree.
Shortcut trusts are two-way transitive trusts that allow you to shorten the path in a complex forest. These trusts must be explicitly created by the administrator's to create a direct trust relationship between Windows 2000 domains in the same forest. A shortcut trust is used to optimize performance and shorten the trust path that Windows 2000 security must take for authentication purposes. The most effective use of shortcut trusts is between two domain trees in a forest.
Shortcut trusts are one of the two types of explicit domain trusts that can be established in Windows 2000; the other is the external trust used to establish a trust relationship with domains that are not part of the forest. The external trust is one-way and non-transitive, as in NT 4.0 domain models. However, as with NT, two one-way trusts can be established if a two-way relationship is desired.
Active Directory automatically creates the parent/child and tree root trusts. You must manually create all shortcut and external trusts.
Trusts can be created from the command prompt using Netdom or from the GUI using Active Directory domains and trusts.
LM authentication is the least secure Windows 2000 authentication model. It is the default for Windows 95 and Windows 98 clients.
NTLM version 1 is the default authentication method for Windows NT 4.0. It is more secure than LM but less secure than Kerberos. Kerberos is the default authentication method for Windows 2000. It does not authenticate the server; it authenticates only the client.
NTLM version 2 is more secure than NTLM version 1 or LM. Windows 9.x and Windows NT 4.0 clients can be configured to use NTLMv2. We have to make a registry change to both platforms in order for them to use NTLMv2. Windows 9.x clients also need the directory services clients installed, whereas NT 4.0 clients must have SP 4 or above installed.
NTLM authentication is slower than Kerberos authentication.
NTLM performs one-way authentication. Kerberos provides mutual (two-way) authentication.
NTLM trusts are one-way and nontransitive. Kerberos trusts are two-way and transitive.
NTLM is proprietary and not compatible with non-Microsoft networks.
Kerberos is a private key encryption protocol.
Windows 2000 domain controllers run the Kerberos server service, which allows Kerberos passwords and identities to be stored in Active Directory.
Web authentication can be provided by many mechanisms, including:
Anonymous authentication
Digest authentication
Integrated Windows authentication
Certificate mapping
SSL
SSL and TLS are public key-based security protocols. If supported by your Web browser and server, SSL and TLS provides mutual authentication, message integrity, and confidentiality.
Most Web authentication problems can be traced to incorrectly (or missing) configured user accounts or lack of required client credentials.
|
|