Cracking Open Kerberos: Understanding How Active Directory Knows Who You Are

Download this episode

Download Video


When used for simple authentication, then Active Directory's authenticator-of-choice Kerberos is trouble-free: set up an AD, Kerberos just works and that's it. But start to add AD-aware servers and services, or try to understand how a read-only domain controller differs from a full DC, and suddenly there's a LOT to know. Ticket granting tickets, pre-authenticators, and session keys are just the start, as anyone who's attended security techie Mark Minasi's highly-rated "Windows Logins Revealed" in previous Tech·Ed conferences knows. But what's this about "delegation," or, in Windows Server 2008, "CONSTRAINED delegation"--is it only permissible between consenting adults? And what's an "SPN," the thing that the invaluable "setspn" utility assists with? Once past that, you may find that some of your users seem to be logged onto AD but aren't really, due to the frightening-sounding "token bloat." What's all of this (it's good news, really), and what can it do for (or to) you? Find out when Mark resumes the mantle of Revealer of Windows Logons, explaining all this--and more--while keeping that trademark Minasi energy and humor.







Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to send us feedback you can Contact Us.