Kerberos:
How Does It Work?

Strengthening Authentication to Adapt to Changing Circumstances™

Today's business environment has created numerous security challenges for IT administrators:

• Ensuring only authorized individuals have access to specific data and systems.
• Diminishing the risk of data exposure and network attacks.
• Corporate mandates to employ security best practices.
• Increased government and industry standards for data and IT security.
• Multiple passwords for end-users to remember (and forget or lose).
• Increased number of unique password stores and sets of password policies to manage.

Securing the authentication process is a major step toward securing the enterprise, however you want to ensure the process maintains end-user productivity, avoids increasing Help Desk calls and incorporates best practices such as stronger authentication, login restrictions and password security rules.

Achieving optimal security with Lotus Domino is critical to ensuring the security of the enterprise applications it serves. PistolStar’s Web Set Password 8 takes Lotus Domino security to another level by adding numerous features that simplify the administrators’ and end-users’ experience, decrease Help Desk calls for password changes and stop potential hackers in their tracks:

• Stronger authentication – requiring username, password and challenge question and answer to gain access.
• Site seals – pre-set custom seal is displayed after username is entered and before password is entered to ensure credentials go to valid Website.
• Browser-based self-service password recovery/reset of the Active Directory or Domino HTTP password using multiple challenge question and answer functionality.
• Control over authentication processes - password strike-out limits, users prevented from using credentials on multiple machines at the same time, inactive user management, time-of-day login restrictions.
• Password security – password rule settings by user, group or domain, password complexity verification.
• Single sign-on and reduced sign-on to portals.
• Over 30 other configurable authentication and password security features not found in Domino R6/7/8.

See and hear the complete 30-minute Webinar: "Strengthening Authentication to Adapt to Changing Circumstances"

If you are an administrator in charge of password management and password security for a large enterprise, then you know how important it is to stay on top of a complex range of events --- from expired passwords and passwords not meeting strength rules to questionable login behaviors and inappropriate password usage.

These various events are occurring constantly when you have hundreds or thousands of individuals (both legitimate and unauthorized) attempting access to your systems. Many of these events need to be addressed and some require immediate attention if the security of the organization could be compromised.

Consequently, if there are any potential or real password security issues occurring out there, you want real-time notification. However, uncovering these issues has not been a real-time process.

PistolStar is preparing to rollout a new Password Power Plug-In - the Real-Time Alerts Plug-In - which will be part of the Password Power 8 framework. The Real-Time Alerts Plug-In will automatically trigger an alert that is sent to the IT administrator whenever one of over 20 different password and login events occurs. Administrators will select from a GUI which alerts they want to receive. The Plug-In is very granular in terms of the events it monitors. The alerts selected are then encrypted to prevent changes and pushed out to local machines.

Alerts are sent via SMTP to a specified email address or a mail-in database and contain the username, domain, IP address and a time stamp. The mail-in database allows the flexibility of categorizing, sorting and triggering Agents. With email, the Alert can go directly to a PDA, allowing for true real-time notification.

The Real-Time Alerts Plug-In will be a diagnostic as well as an auditing tool, as it can be used to isolate and track the activities of individual users. This feature will be of interest to those administrators who want to control the amount of data the Real-Time Alerts Plug-In can potentially produce.

Here’s a sample list of the Alerts to be included in the Password Power Real-Time Alerts Plug-In:

• Whose password is expired?
• When was the last login/logoff?
• How many bad passwords were used during login?
• Who got locked out?
• Was a guest account used?
• Was an administrator account used?
• Was a deactivated account used?
• Who changed their password?

Achieving Single Sign-On Via Smart Card Using Kerberos:
A Customer Case Study

There are alternatives to using passwords for authentication and one is smart cards.

Henkel KGaA, a global consumer products and technologies company based in Dusseldorf, Germany, was planning an enterprise-wide smart card deployment to its 38,000 employees and wanted to enable single sign-on to Lotus applications. The company wanted its employees to use smart cards instead of their Active Directory password to log into Windows.

Henkel purchased PistolStar’s Password Power Plug-Ins for Lotus Notes, Lotus Domino and Lotus Sametime Connect to achieve single sign-on to Lotus Notes via smart card and single sign-on to Domino and Sametime. Password Power uses the Kerberos authentication protocol, which integrates with Active Directory to enable single sign-on and provides an additional layer of security because it does not send passwords over the network.

The Lotus Notes Plug-In smart card support provides:

• SSO to Notes based on smart card login to Windows.
• Authentication with Kerberos when launching Notes to obtain an encrypted service ticket.
• One-step lost card recovery - No replacing, recovering or recertifying the Notes ID.
• Self-service pin recovery when user forgets pin.
• Automatic smart card user enrollment for Notes (no wizard process to endure)

With PistolStar’s support for single sign-on and smart card environments, Henkel has obtained the following benefits:

• Users no longer prompted for Active Directory password because they’re using Kerberos with the smart card
• No more forgotten password scenarios!
• Stronger authentication using Kerberos
• Support for roaming users

Now that the Password Power Lotus Notes Plug-In is configurable for smart card implementations, there is no reason to let Notes hold you back from doing a smart card deployment!

Learn how customers in major industries have eliminated Notes ID password recovery and reaped other benefits from using the Password Power Lotus Notes Plug-In:

Energy Industry Case Study
Pharmaceutical Industry Case Study

Kerberos is one of the most prominent authentication methods and is available on several platforms, including many different versions of UNIX, Linux, Sun Solaris and Apple Mac OS X, as well as Microsoft Windows. Many people probably do not realize that they are using Kerberos whenever they log on to their computer. Because of its openness, Kerberos gives organizations the flexibility to establish cross-platform, single sign-on network environments.

For most of the major operating systems, Kerberos is the technology of choice for single sign-on because it is more secure than other authentication methods. Originally developed by the Massachusetts Institute of Technology (MIT), Kerberos does not send plain text passwords over the network and instead uses encrypted tickets. Also, passwords are never cached on the local machine. The end-user and server are mutually authenticated, which prevents server attacks and malicious programs that try to impersonate the server to get the end-user’s private information.

Despite its benefits, Kerberos does have its drawbacks, such as requiring the availability of a central server (the KDC - Key Distribution Center) and not working properly if the clocks of the hosts involved are not synchronized. Also, since users’ secret keys are stored on the central server, if that server is compromised, the users’ secret keys will be compromised as well. In his article, “Kerberos: Authentication with Some Drawbacks,” Bill Brenner of searchsecurity.com points out that the MIT Kerberos Consortium does acknowledge the drawbacks. He quotes its chief technologist as saying, “Unless you’re using smart cards, Kerberos is vulnerable if the local machine is compromised and malware captures the password." To learn about replacing passwords with a smart card single sign-on implementation using Kerberos, check out the article, “Achieving Single Sign-On via Smart Card Using Kerberos – A Customer Case Study,” also featured in this newsletter.

Get the full lowdown on Kerberos’ strengths and dominance as an authentication solution in this recently published white paper by the MIT Kerberos Consortium.

Kerberos on Mac OS X
Kerberos is Apple's choice for system-wide single sign-on and addressing the risk of unauthorized users gaining access to protected data. Kerberos has served as the default authentication technology within Apple’s Mac OS X since its introduction and now has an extended role in the latest 10.5 release, also known as Leopard.

Kerberos was first introduced in Mac OS X v10.2 Jaguar. In its first Mac OS X release, enabling Kerberos required a manual configuration process. Since the release of Mac OS X v10.3 Panther, Kerberos authentication has been integrated into Open Directory, which can be easily set up to automatically enable that server as a Kerberos KDC. With the Mac OS X 10.5 Leopard, utilizing Kerberos makes it easier to share services with other Macs.

When end-users connect to a Mac supporting Kerberos, there is no need to authenticate to each service individually. End-users enter their password only once at login to prove their identity to the Kerberos KDC, which issues the strongly encrypted tickets that are used to assure all participating applications and services that they have been authenticated securely. The ticket permits end-users to continue to use services on that machine without re-authenticating until the ticket expires. Kerberized applications and services on the Mac include NFSv3, Safari, SSH, SMB, Mail, Telnet, VPN client, and the AFP (Apple Filing Protocol) client.

Kerberos on Linux
With Linux, the Kerberos KDC runs two important Kerberos daemons. These daemons are kadmind and krb5kdc. kadmind is the administrative daemon for the Kerberos server and is used by a program named kadmin to maintain the database of principals (end-users/client) and policy configuration. If remote logins via SSH are not allowed on your Kerberos hardware, kadmin will permit you to remotely administer the Kerberos components of the server.

krb5kdc is the “workhorse” of the Kerberos server and responsible for performing the role of the trusted third party authority. The request for authentication is sent to the krb5kdc, which looks up the end-user/client (the principal) to authenticate in the principal database. It reads the end-user’s secret key from this database and encrypts the ticket sent back to the end-user.

The end-user receives this encrypted ticket, which contains a session key. If the end-user knows the password (the secret key stored in the principal database) and can successfully decrypt the ticket, it can present the ticket encrypted with the enclosed session key to a Ticket Granting Service (TGS). The TGS will then issue a subsequent ticket which authenticates the end-user to use a specific system or service. Time stamp information is included in the tickets to prevent replay attacks as a result of fraudulent use of a previously issued ticket.

Kerberos on Windows
Kerberos has been the default authentication mechanism with the Windows family of client and server operating systems since the introduction of Windows 2000 Professional and Windows 2000 server. The Kerberos KDC in Windows is any Microsoft Active Directory domain controller and the end-user authenticates to the KDC using an Active Directory domain account.

Since Kerberos is deeply and seamlessly integrated with Microsoft Windows and Active Directory, it enables users on Windows 2000, XP and Vista to just logon to a Windows domain at the start of their workday. Therefore, when the end-user wants to access a server for which they use Kerberos authentication, their browser retrieves the service ticket from the KDC and sends it to the server automatically.

For more specifics on how Kerberos operates on Windows and info on how it works in general, see the article “Kerberos: How Does it Work?” which is also contained in this newsletter.