Exam Objectives Frequently Asked Questions
|
|
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.
| What do you consider the main benefit of using Kerberos authentication? | ||
| A. | Kerberos provides mutual authentication for the server and the client. This makes network communication more secure than the one-way authentication (NTLM) of the past. | |
| Do I need to manually create the Kerberos settings for my Windows 2000 domain? | ||
| A. | Windows 2000 Server ships with a default domain policy that includes reasonable settings for the Kerberos policy. The only reason to change from the default settings is if your organization's requirements differ from the default value settings. | |
| Can my Windows 9.x clients authenticate using Kerberos? | ||
| A. | No, Microsoft is not releasing a Kerberos add-on for Windows 9.x. Windows 9.x clients can only authenticate using the NTLM authentication protocol. To enhance the security of Windows 2000 domains, Microsoft recommends that you upgrade all clients to Windows 2000 so that the more secure Kerberos authentication protocol is utilized by all systems in the domain. | |
| How does a server know that a user is authorized access to a service, even though it has authenticated the user's identity? | ||
| A. | Microsoft Kerberos includes a PAC in every ticket. The PAC includes the user's SID and the SIDs for all groups of which the user is a member. The server compares this data with the data for the ACL on the service to determine if access is allowed or denied. If access is allowed, the server also determines the level of access based on information in the ACL. | |
| How does a Windows 2000 client find a Microsoft KDC? | ||
| A. | It uses DNS to locate KDCs in the domain. | |
| I have one server that is both my domain controller and my DNS server. Everything seems to be running fine, but I cannot log on from any of my clients using Kerberos. All of my clients are running Windows 2000. What could be the problem? | ||
| A. | Clients use DNS SRVs to find KDC servers on the network. DNS can be running fine, but if the SRVs do not exist, the clients cannot find the domain controllers. When domain controllers start the netlogon service when booting, they automatically go to their configured DNS server and register all the needed SRV records. If the DNS dynamic updates feature is turned off, this process must be done manually. Make sure dynamic updates are turned on for your DNS zone, or you could also create all the SRV records manually (but this practice is not recommended). To enable dynamic updates, open the DNS Management console. Expand your server. Expand Forward Lookup Zones. Right-click the zone that you want to enable for dynamic updates, and go to Properties. Choose Yes from the drop-down arrow next to allow dynamic updates. | |
| Why are TGTs necessary? | ||
| A. | To prove to the KDC that the clients requesting a session ticket are really who they say they are. The KDC issues the TGT to the client when it first logs on to the domain. | |
| How can Windows 2000 be configured to use forwardable tickets? | ||
| A. | By default, members of the Domain Admins group can forward tickets. For other users, the option has to be configured individually. |
|
|
EAN: 2147483647
Pages: 162