Understanding the Terminology

Both the Kerberos server and Microsoft® provide Kerberos security for your network. While the technology is the same, the terminology varies.

Kerberos authentication depends upon establishing trust between users and services through a trusted third party called a Key Distribution Center (KDC). HP provides a KDC on the security server, and Windows 2000 provides a KDC on the domain controller.

Each KDC stores information about trusted users and services in a central database called the principal database in HP terms and the Active Directory of the domain in Microsoft terms. Each database contains a collection of users. In HP terms, the database contains a collection called a realm and each entry is called a principal. In Microsoft terms, the database contains a collection called a domain and each entry is called an account.

The most important information associated with any principal in the Kerberos model is its unique symmetric key, that is, the key used to encrypt and decrypt information on behalf of the principal. HP uses the term, secret key; Microsoft uses the terms long-term key or shared principal key. The KDC, as the trusted third party, shares a unique secret key with all of its principals. When a principal and the KDC exchange information to establish trust, the principal uses its secret key to encrypt the message. The KDC decrypts the message using the secret key of the principal stored in the database and then attempts to authenticate the principal.

During logon, if KDC successfully authenticates the user, it responds with a special message, called a ticket granting ticket (TGT). The ticket entitles you to request access to other services known to the KDC.

The client system stores the ticket in memory. In HP terminology, the client system stores the ticket in the credentials cache and uses it to request service tickets to authenticate the applications or services on the network. In Microsoft terminology, the client system stores the ticket in the secure cache and uses it to request session tickets to authenticate to applications or services.

The HP and Microsoft implementations of Kerberos have virtually identical conceptual frameworks, but mechanical differences exist. For example, the HP implementation uses configuration files to locate host systems and the Microsoft implementation uses a DNS lookup to resolve host names. But both implementations are written to RFC 1510 (The Kerberos Network Authentication Service (V5)) and RFC 1964 (The Kerberos Version 5 GSS-API Mechanism), and hence they can interoperate.

Table 4-1 “Table of Analogous Terms” summarizes analogous terminology in the Kerberos server and Windows 2000 Kerberos implementations.