Is the Windows 2000 Kerberos implementation interoperable with
other Kerberos implementations?
The Windows 2000 implementation of Kerberos was developed based
on the following RFCs:
GSSAPI Kerberos V5 Mechanismhttp://www.ietf.org/rfc/rfc1964.txt?number=1964
Testing with MIT Kerberos versions 1.0.5, 1.0.6 and 1.1.1 indicate that
interoperability exists for a number of scenarios that are described in the
following Windows 2000 Kerberos Interoperability whitepaper:
Interoperability testing has also occurred with Heimdal,
CyberSafe, IBM and Sun implementations.
The Microsoft Windows 2000
Kerberos implementation is compliant with the following RFCs:
The Microsoft Windows 2000 implementation of Kerberos V5 does not
contain support for Kerberos V4.
How do I setup a cross-realm trust to a Windows 2000 domain?
The steps are outlined in the Step-by-Step Guide to Kerberos 5
(krb5 1.0) Interoperability:
Does Windows 2000 support Kadmin?
No, Windows 2000 supports Lightweight Directory Access Protocol
(LDAP) for account administration.
What password changing protocol does Windows 2000 support for
Windows 2000 implements the Kerberos Change Password protocol as
described in the Internet Draft draft-ietf-cat-kerb-chg-password-02.txt. This
protocol is also implemented in MIT krb5-1.1.1. Note
A copy of the Internet Draft referenced above can be found in the
sample file link at the bottom of this Web page link.
How does Windows 2000 locate the Key Distribution Centers (KDCs)?
Windows 2000 clients use Domain Name System (DNS) SRV records to
locate domain controllers in a domain, and they attempt to resolve the
_ldap._tcp.dc._msdcs SRV records. Windows 2000 domain controllers also publish
SRV records for _kerberos and _kpasswd services. The list of published SRV
records can be found on a domain controller in the following file:
Does Windows 2000 support General Security Service Application
Programming Interface (GSSAPI) (RFC-2743
Microsoft supports the Security Support Provider Interface (SSPI)
which is semantically similar to the GSSAPI, but syntactically different. For
additional information about SSPI, see the Microsoft Windows Platform SDK. The
protocol used by Kerberos Security Support Provider (SSP) is the same as that
used by the GSSAPI Kerberos5 mechanism defined in the following RFC:
Does Windows 2000 support Krb5 Application Programming Interfaces
No. The only Kerberos interfaces that Windows 2000 supports are
through the SSPI and the LsaCallAuthenticationPackage() ticket interfaces
documented in the Windows Platform SDK. The SSPI interfaces are equivalent to
the Kerberos GSSAPI and produce an application that uses the GSSAPI/kerberos5
the wire. The LsaCallAuthentication package interfaces provide a mechanism to
retrieve tickets from the Kerberos ticket cache.
What extensions did Microsoft make to Kerberos?
Microsoft has implemented the following extensions which are
published as IETF Internet Drafts:
Kerberos Set Password protocol：
What is in the Kerberos ticket authorization data?
The authorization data in the Kerberos ticket was intended by the
following RFC authors to implement vendor-specific authorization data:
Windows 2000 uses this field to hold data specific to its
distributed security mechanism. This is described in the Windows 2000 Server
Distributed Systems Guide pages 667-669. Information on intended use of the
authorization field is located in the following RFC:
How does Windows 2000 keep system clocks synchronized?
Windows 2000 clients use the following version of Simple Network
Time Protocol (SNTP):
Time synchronization uses Universal Time Coordinate (UTC) which
is time zone independent. A computer determines its time source by following a
complex algorithm involving sites, domains, PDC FSMO, and Reliable Time
Servers. The time service is controlled by using the net time
command. The act of joining a domain enables the Windows 2000 Time service so
that it automatically starts at boot. When communicating with Windows 2000
computers, time packets are secured with a signed hash of the time information.
Security is based on the Windows NT secure channel and signature key is
determined by the machine account of the client.
What encryption types does Windows 2000 support?
Windows 2000 supports the following encryption types:
Kerberos Encryption Key Lengths:
Collapse this tableExpand this table
|RC4-HMAC||128||128||56 (128 w/ the High
Encryption Pack installed|
How do I find out what Kerberos tickets I have?
The Kerberos tickets are kept in ticket cache by the LSA, and the
cache is destroyed when the user logs out. Only the logged on user has access
to the tickets in the cache. The Resource Kit utilities Klist.exe or
Kerbtray.exe can be used to examine the tickets in the cache.
Does Windows 2000 support Pkinit?
Windows 2000 Kerberos provides an implementation of Pkinit draft
version 9. The specific use of Pkinit in Windows 2000 is constrained to
supporting SmartCard logon. Pkinit has not been tested with other
implementations since the release of Windows 2000.
What are the default ticket lifetimes?
The default ticket lifetimes are controlled at the domain level
by using domain policy. The defaults are:
- MaxServiceTicketAge: 10 hours
- MaxTicketAge: 10 hours
- MaxRenewAge: 7 days
- MaxClockSkew: 5 minutes
What does Enforce Logon Restrictions
There is a setting for the Kerberos policy called Enforce Logon Restrictions
. With this setting enabled, every time a user uses a
ticket-granting-ticket (TGT) to request a ticket, the account is checked to see
if it is still valid. That would prevent a disabled account from obtaining new
How do I use delegation?
Delegation permits a service to act as the user with that user's
access to network resources. This requires the client to forward a user's TGT
to the service so that it can request tickets from a KDC on behalf of the user.
Since the service is able to act as the user, it is important that the service
be trusted before giving it your TGT. Windows 2000 has controls that can limit
when a service provides a user's TGT when delegation is requested.
The Kerberos revisions Internet Draft specifies a new ticket flag - "OK as
delegate". The Windows 2000 KDC sets this flag in service tickets that have the
Trusted for delegation
account control flag set. If the
service ticket has the OK as delegate
flag set, then the SSPI
forwards the user's TGT to the service if the SSPI program requested
delegation. If the ticket flag is not set, then the SSPI delegation flag is
ignored and the TGT is not forwarded.
If you are running with a KDC
that does not set the ticket flag, you can set the RealmFlags in the registry
configuration for the external realm to trust the realm for delegation. Setting
the RealmFlags flag to a value of 4 enables this feature.
additional information about the RealmFlags registry setting, see the Windows
2000 Registry Reference (Regentry.chm) included in the Windows 2000 Resource
Does Windows 2000 support SPNEGO (RFC-2478
Yes. The Negotiate SSP implements SPNEGO. The Negotiate SSP is
the common default package that most programs use in Windows 2000.
Are Telnet and File Transfer Protocol (FTP) clients in Windows
The Telnet and FTP services in Windows 2000 do not use Kerberos
The third-party products that this article discusses are
manufactured by companies that are independent of Microsoft. Microsoft makes no
warranty, implied or otherwise, regarding the performance or reliability of