![]() ![]() Is KRBTGT more secure than NTLM authentication? ![]() Once I have my ticket and I decide I want to see The Croods instead, my specific ticket will not allow me into that movie because I’ve been authorized to see Shrek. So, to recap, the TGT gives me access to the theatre complex and the TGS gives me access to a specific movie in a specific theatre at a specific time. The application server then verifies the token with the shared KRBTGT hashed password and grants access to its resources to the user for a specific period of time, also known as TTL or Time to Live (default timeframe is 10 hours). An encrypted token is sent back to the user, and then it is sent on to the application server. The TGS decrypts the TGT with the secret key shared with the AS. The user (I should say client because the user just logs in and all this goes on unbeknownst to the user) sends the TGT to the KDC Ticket Granting Server (TGS) along with the request for what the user wants to access. Once they are authenticated, the KDC sends them a Ticket Granting Ticket (TGT). So the user sends a request to the KDC authentication server (AS) with their NTLM hashed password. A KDC is a domain service located on a domain controller. They must first be verified by a trusted third party, the Key Distribution Center (KDC). They can’t just log in directly to that server. This is the same for users who want access to an application server. I must be verified by a trusted third party – the ticket counter – which verifies my ID, charges my credit card and gives me a ticket to see Shrek in a specific theatre at a specific time. But I can’t just walk into the theatre with my popcorn and enjoy the show. I really want to see the movie Shrek which my local theatre has started showing again. To describe how KRBTGT works, I’ll put it in terms of going to the movie theatre. Specifically, KRB means Kerberos, and TGT stands for Ticket Granting Ticket. This is and has been the default Microsoft Windows authentication and authorization protocol used to grant access to network applications and services since Windows Server 2000. Guarding the gates to your network is a three-way trust called Kerberos. In Greek mythology, Cerberus is a three-headed dog that guards the entrance to Hades. What does KRBTGT stand for and how is it used? In this blog post, we take a deeper dive into KRBTGT and answer some of your toughest Microsoft security questions. I discussed some of these issues at Microsoft Ignite this year with Microsoft Certified Master Sean Metcalf (you may have seen the related blog post on 6 AD Security Public Service Announcements). Understanding the ins and outs of KRBTGT accounts can mean the difference between having a secure, compliant network and opening up your organization to vulnerabilities that could allow perpetrators to impersonate authentication and wreak havoc in your network. KRBTGT is an account used for Microsoft’s implementation of Kerberos, the default Microsoft Windows authentication protocol.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |