Filter
Top Products
Interoperability with Windows 2000
Understanding the Terminology
Chapter 4 53
Understanding the Terminology
Both the Kerberos server and Microsoft provide Kerberos security for
your network. While the technology is the same, the terminology varies.
Kerberos authentication depends upon establishing trust between users
and services through a trusted third party called a Key Distribution
Center (KDC). HP provides a KDC on the security server, and Windows
2000 provides a KDC on the domain controller.
Each KDC stores information about trusted users and services in a
central database called the principal database in HP terms and the
Active Directory of the domain in Microsoft terms. Each database
contains a collection of users. In HP terms, the database contains a
collection called a realm and each entry is called a principal. In Microsoft
terms, the database contains a collection called a domain and each entry
is called an account.
The most important information associated with any principal in the
Kerberos model is its unique symmetric key, that is, the key used to
encrypt and decrypt information on behalf of the principal. HP uses the
term, secret key; Microsoft uses the terms long-term key or shared
principal key. The KDC, as the trusted third party, shares a unique
secret key with all of its principals. When a principal and the KDC
exchange information to establish trust, the principal uses its secret key
to encrypt the message. The KDC decrypts the message using the secret
key of the principal stored in the database and then attempts to
authenticate the principal.
During logon, if KDC successfully authenticates the user, it responds
with a special message, called a ticket granting ticket (TGT). The ticket
entitles you to request access to other services known to the KDC.
The client system stores the ticket in memory. In HP terminology, the
client system stores the ticket in the credentials cache and uses it to
request service tickets to authenticate the applications or services on the
network. In Microsoft terminology, the client system stores the ticket in
the secure cache and uses it to request session tickets to authenticate to
applications or services.
The HP and Microsoft implementations of Kerberos have virtually
identical conceptual frameworks, but mechanical differences exist. For
example, the HP implementation uses configuration files to locate host