Cracking Open Kerberos: Understanding How Active Directory Knows Who You Are
When used for simple authentication, Active Directory's authenticator-of-choice Kerberos is trouble-free: set up an AD, Kerberos just works and that's it. But start to add AD-aware servers and services, or try to understand how a read-only domain controller differs from a full DC, and all of a sudden there's a LOT to know. Ticket granting tickets, pre-authenticators, and session keys are just the start, as anyone who's attended security techie Mark Minasi's highly-rated "Windows Logins Revealed" at a previous Tech·Ed knows. But what's this about "delegation," or in Windows Server 2008, "CONSTRAINED delegation" -- is it only permissible between consenting adults? And what's an "SPN," the thing that the invaluable "setspn" utility assists with? Once past that, you may find that some of your users seem to be logged onto AD but aren't really, due to the frightening-sounding "token bloat." What's all of this (it's good news, really), and what can it do for (or to) you? Find out when Mark resumes the mantle of Revealer of Windows Logons, explaining all this -- and more -- while keeping that trademark Minasi energy and humour.