More Related Content Similar to Kerberos Survival Guide SPS Chicago Similar to Kerberos Survival Guide SPS Chicago (20) Kerberos Survival Guide SPS Chicago1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade 17. Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay 41. What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx 42. How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx 44. How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx 49. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. 50. User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. 53. Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted 54. This is a Windows-centric Kerberos presentation 58. Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. 78. Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re-entered. 91. Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land. 92. Always test from a different machine than the web server or domain controller! 104. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) 105. IIS 7 – remember Kernel mode authentication and check settings 106. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)