Kerberos / SPNEGO – Protocol is different , but its one and the same.
Kerberos – Communication protocol by Microsoft.
What is Kerberos used for ?
– Kerberos is mainly used to achieve SSO.
– When a user logs into a machine ( Windows OS ) , the same credentials are used to provide different services ( i.e the user need not enter his user name and password again and again. )
– Limitations :
- Cannot be used widely.
- not usable over the internet
- limited to intranet.
- only for Microsoft clients.
ADS – stands for Active Directory Service.
– It is a part of ADS.
– ADS is like a database of all the users.
– For each and every user KDC stores a key ( KDC is like a database of keys )
– This is key is unique and it remains the same for a given user.
– It is based on the user password.
– It is an encrypted key.
– This key is called LongTerm key of a user.
– It is normally stored when a user is created.
LSA – Local Security Agent.
– It is present in all Microsoft Systems.
– It takes care of all the security tasks and is responsible to generate LongTerm keys.
– It basically uses the same algorithm / does the same work as KDC does in ADS. LSA is present in every MS client system
As we saw earlier KDC has all the LongTerm keys.
KDC has 2 services inside it, namely :
– Authentication Service. ( AS )
– Ticket Granting Service. ( TGS )
In ADS even KDC is a user and hence has a LongTerm key, say Lkdc.
When a user logs in to a machine his credentials are checked against the Active Directory.
If it is a valid user then the Authentication Service provides the user with a TGT ( Ticket Granting Ticket ).
The user has to provide this TGT to the Ticket Granting Service to get a kerberos ticket that he wants.
So TGT is nothing but a piece of information used by TGS to grant a kerberos ticket to a user.
TGT will be the sam even if the services the user requests for are different.
Client will have a Credential Cache. TGT will be stored here by the user.
If TGT is available in cache the user will not go to the AS it will take the TGT directly to TGS to get the Kerberos ticket.
Credential Cache is cleared when a user logs off from his system.
Hence TGT will help establish the trust between the Client / User and the KDC / ADS.
Now we need to establish the trust between the KDC / ADS and the services ( i.e WLS in our case )
– To achieve the trust at the KDC side we need to create a user in ADS with the name services.
– ADS should not consider this as a normal user , hence we provide an attribute SPN to it. ( i.e Service will have an attribute SPN ) ( A user with SPN will be considered as a service by KDC ).
– SPN stands for Service Principle Name.
Trust is now established at the ADS side.
Now trust has to be established at the WLS side for that we generate keytab.
Keytab – it is a file in non readable format.
– it is a collection of keys.
– this key is the LongTerm key of the services ( the username for services that was added in the ADS ).
So the ADS has three kinds of users namely :
- Lc – ( LongTerm key of all the users )
- Lkdc – ( LongTerm key of KDC which is also given a username in ADS )
- Ls – ( LongTerm key of Service which is also given a username in ADS )
KDC will have Lc database.
Note : Unexpected behaviour is seen when MS client , ADS and WLS are on the same network domain.
So it is better to have MS client and ADS on one network domain and WLS on a different one.
So the keys that we have seen till now in Kerberos are :
– Lc – LongTerm key of the user.
– Lkdc – LongTerm key of KDC
– Ls – LongTerm key of Service.
– TGT – Ticket Granting Ticket ( its the ticket provided by the authorization service in KDC to a valid user.
– KT – Kerberos ticket – Ticket provided by the Ticket Granting Service of KDC to the user with a valid TGT.
Longterm key is available till the client is alive.
ShortTerm Key or Session Key are available for a particular session.
Sw – Session key between WLS and client.
Sck – Session key between client and KDC.
Lets discuss about the session keys in detail now.