Kerberos and Windows 2000

http://is-it-true.org/nt/nt2000/atips/atips52.shtml

Windows NT uses a proprietary authentication scheme, NT LAN Manager ( NTLM ) Challenge-Response. With the introduction of Windows 2000, Microsoft changed the default authenication to their version of Kerberos, a public domain authentication scheme developed at MIT (Massachusetts Institute of Technology) as part of Project Athena.
Windows 2000 uses Version 5 of Kerberos as defined by RFC 1510. To be standard, Kerberos implementations use the API library described in RFC 1964, the Kerberos Version 5 Generic Security Service Application Programming Interface ( GSS-API ) Mechanism. Microosft chose to not use the GSS-API directly, but instead, Windows 2000 uses a similar set of functions they developed.
Windows 2000 supports Kerberos and NTLM for authenication. Legacy, legacy, legacy support - the key to Microsoft's security problems. Because the authentication mechanism is designed to be as transparent as possible, it isn't obvious whether Kerberos or NTLM is used. In general, Windows 2000 uses Kerberos in the following circumstances:
Authenticating users logging on to Windows 2000 domain controllers
Authenticating users logging on to Windows 2000 servers and workstations that are members of a Windows 2000 domain
Authenticating users logging on to standalone Windows 2000 servers and workstations
Authenticating users accessing a Windows 2000 server or workstation from a Win9x client or NT client configured with the Active Directory add-on
NTLM authentication is used in the following instances:
Authenticating users logging on to Windows 2000 servers and workstations that are members of an NT domain (or accessing an NT domain from a Windows 2000 domain via a trust relationship
Authenticating users accessing a Windows 2000 server or workstation from an NT server or workstation
Authenticating users accessing a Windows 2000 server from a standard Windows 9x, Win 3.1x client, or OS/2 client
Authentication protocols defend the front door to your network
Kerberos
Secure Socket Layer
Microsoft NT LAN Manager
Password Authentication Protocol and Shiva PAP
Challenge Handshake Authentication Protocol (CHAP) and Microsoft CHAP
Extensible Authentication Protocol
Remote Authentication Dial-In User Service (RADIUS)
Certificate services
Windows 2000 Kerberos Authentication Windows® 2000 implements Kerberos version 5 with extensions for public key authentication. The Kerberos client is implemented as a security provider through the Security Support Provider Interface. Initial authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain’s Active DirectoryTM service as its security account database. This white paper examines components of the protocol and provides detail on its implementation. Downloadable 143K
Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility "discovered an API that lets you enumerate and manipulate the ticket cache. This was even better than good documentation because I was able to do my own research to discover the nuts and bolts of the delegation mechanism. It also got me thinking about how tickets work in general, which I’ll also discuss."
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
Windows 2000 Kerberos Interoperability The Windows® 2000 operating system implements the standard Kerberos network authentication protocol to improve security and interoperability. While new to Windows, the Kerberos protocol is not new and has been implemented on a number of operating system platforms. This paper describes common scenarios for interoperability between Windows 2000 and other Kerberos implementations. Downloadable 104K
Q217098 : Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Q230669 : Windows 2000 Kerberos 5 Ticket Flags and KDC Options for AS_REQ and TGS_REQ Messages
Q258068 : Windows 2000 PDC Emulator's CPU Spikes When Large Number of KRB_AS_REQs Are Sent from the BDC
Kerberos FAQ