The Windows 2000 implementation of the Kerberos Authentication protocol does not require extensive administration or configuration. Because it is the default authentication package, it is installed automatically on all Microsoft Windows 2000-based computers. Except for smart cards, Kerberos is normally an automatic process and you are not required to set it up. There are very few policy choices that can be applied to Kerberos. Network Monitor does not have a built-in parser, and because most Kerberos traffic is encrypted, traces are not very revealing and therefore not very useful. This article describes administration of the Kerberos protocol.
Two utilities are included for Kerberos administration: KerbTray and NetDom.
KerbTray is used to display ticket information for a given computer running the Kerberos protocol. The KerbTray icon is located in the system tray (on the right side of the taskbar) and can be used to view and purge the ticket cache. To use KerbTray, right-click the icon, and then click List Tickets
or Purge Tickets
. When you are viewing the ticket cache, the following flags map to the Flags column:
- F = forwardable
- f = forwarded
- P = proxiable
- p = proxied
- D = may postdate
- d = postdated
- i = invalid
- R = renewable
- I = initial
- H = hardware authenticated
- A = pre-authenticated
- L = OK as delegate
Ticket Flag Defaults
- For the Ticket Granting Ticket, or TGT (the first listed ticket): FPRI (Forwardable, Proxiable, Renewable, and Initial).
- For session tickets (the second and third listed tickets): FPR (Forwardable, Proxiable, and Renewable).
NetDom is a Resource Kit tool for manipulating secure channels between servers to servers and servers to workstations. In Windows 2000, NetDom is a tool that checks for domain servers and trusts. It has been modified to also allow for the resetting of Kerberos transitive trusts.
Kerberos Policy Settings
In Windows 2000, the Kerberos policy is defined at the domain level and implemented by the domain's Key Distribution Center (KDC). The Kerberos policy is stored in Active Directory as a subset of the attributes of the domain security policy. By default, policy options can be set only by members of the Domain Administrators group.
The Kerberos policy is located in the Default Domain Policy and includes the following options:
Enforce User Logon Restrictions
When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to gain access to the computer from the network. It is also a check to ensure that the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. Default value: Enabled.
Maximum Lifetime That a User Ticket Can Be Renewed
This is the maximum lifetime of a ticket (either a TGT or a session ticket, although the policy specifies that this is for a "user ticket"). No ticket can be renewed after this time. Default value: 7 days.
Maximum Service Ticket Lifetime
A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.
Maximum Tolerance for Synchronization of Computer Clocks
The KDC server's clock and the Kerberos client's clock have to be synchronized to within a specified number of minutes. If the clocks are not synchronized within the specified number of minutes, tickets are not issued to the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.
Maximum User Ticket Lifetime
A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.