Windows 7 / Security and Privacy

Network User Authentication

In a network environment, user authentication can be handled by one of several methods depending on whether Active Directory is enabled. If Active Directory is not being used, then authentication is handled at a more basic level. If Active Directory is in use, then several more advanced authentication techniques are available in Windows Server 2008. If users are coming in over the Internet, they can use certificates and the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols for authentication. In the case of certificates, Windows Server 2008 can take an authenticated certificate and map it to a user account for integration with the rest of the system (see "Certificate Authentication," later in this tutorial).

In all these methods, a user account must first be established on the server before authentication can be accomplished. Without Active Directory, the procedure for setting up a user account is exactly the same as with the local computer, discussed in the preceding section, except that it must be done on each server in the network. With Active Directory and Active Directory Certificate Services, all of which require Active Directory for full use, the procedure is a little different. Here are the steps:

  1. Click Start | Administrative Tools | Active Directory Users And Computers. The Active Directory Users And Computers dialog box opens.
  2. In the left pane, open the applicable domain and then the Users folder. Click the Action menu and click New | User.
  3. In the New Object - User dialog box, enter the user's name and username, as you can see here, and then click Next.
  4. Enter and confirm the password, choose how you want the user to change the password, and then click Next.
  5. Review your choices, use Back if you need to make any changes, and click Finish when the account is the way you want it.

By establishing this one user account in Active Directory, with the appropriate policies, the user can sign on anywhere on the network, which may extend over the Internet, and be authenticated.

Kerberos Authentication

Kerberos Version 5 is the default authentication protocol in Windows Server 2008, and Kerberos, in several versions, is the default authentication protocol over much of the Internet. This means that the same authentication routines in Windows Server 2008 can validate both a local Windows Server 2008 client and an Internet-connected UNIX client. Kerberos was originally developed by MIT for Internet authentication (http://web.mit .edu/kerberos/www/). The specification for Kerberos Version 5 is maintained by the Internet Engineering Task Force (IETF) and, along with an overview, is contained in Request for Comment 1510, which is available online at http://www.ietf.org/rfc/rfc1510.txt.

In addition to commonality with the Internet and numerous systems, Kerberos provides another major benefit to Windows Server 2008 users. In other authentication schemes, each time a user attempts to access a different network service, that service has to go to the authentication server to confirm the authenticity of the user. This doesn't mean the user has to log on again, but each service has to get its own confirmation, creating a fair amount of network traffic. That is not the case with Kerberos, which provides each user with an encrypted ticket with the user ID and password that network devices can use both for identity and for validity. The Kerberos ticket system also validates the network service to the user, providing mutual authentication between user and service.

NOTE: The Kerberos ticket is also referred to as a service ticket or as a user ticket. They are all the same object.

Kerberos uses a Key Distribution Center (KDC) on each domain controller that stores the user accounts that have been entered into the network's Active Directory. When a user attempts to log on and use any part of the network, the following process takes place:

  1. The username and password are encrypted and sent to the KDC.
  2. The KDC validates the username/password combination.
  3. A ticket is constructed containing the encrypted username and password plus an encryption key that can be used to transfer information between the user and any network service.
  4. The ticket is returned to the user's point of logging on, where it is presented to the network service, thereby proving the authenticity of the user.
  5. The ability of the service to accept and utilize the ticket proves the authenticity of the service to the user.
  6. Any information transferred between the user and the service is done using the encryption key in the ticket.
  7. If, while still logged onto the first network service, the user reaches out to another network service, the ticket is automatically presented to the second service, providing immediate mutual authentication and the ability to securely transfer information.

You can see in the preceding steps another major benefit to Kerberos: the inclusion of an encryption key in the ticket that allows the user and a network service to securely transfer information. This automatically solves another of the security demands, securing data transmission.

Kerberos is a very powerful means for authentication and a major asset to Windows Server 2008.

[Previous] [Contents] [Next]