Kerberos/NTLM Authentication Mechanism
Overview
The Kerberos protocol is an authentication protocol for client/server applications. For authentication purposes, tickets are given to the clients from the Kerberos Key Distribution Center (KDC). The Kerberos ticket is presented to the servers after the connection has been established. Kerberos authentication tickets represent the client's network credentials.
Windows Challenge/Response(NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
Windows authentication uses either Kerberos authentication protocol or NTLM authentication protocol, depending on the client and server configurations.
NTLM Authentication Protocol:
- The NEGOTIATE_MESSAGE defines an NTLM Negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.
- The CHALLENGE_MESSAGE defines an NTLM challenge message that is sent from the server to the client and it is used by the server to challenge the client to prove its identity.
- The AUTHENTICATE_MESSAGE defines an NTLM authenticate message that is sent from the client to the server after the CHALLENGE_MESSAGE is processed by the client.
Kerberos Authentication Protocol:
- Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
- Message B: Ticket-Granting-Ticket encrypted using the secret key of the TGS.
- Message C: Composed of the TGT from message B and the ID of the requested service.
- Message D: Authenticator encrypted using the Client/TGS Session Key.
- Message E: client-to-server ticket encrypted using the service's secret key.
- Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.
- Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.
- Message H: the timestamp found in the client's Authenticator encrypted using the Client/Server Session Key.
FAQs
More FAQs ➔Can I use an existing LDAP user as a Kerberos Service principal?
Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.
What is a "Kerberos client", "Kerberos server", and "application server"?
All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.
Why am I getting a prompt to enter my credentials?
This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:
- Check if you are using a domain joined machine to access the website.
- Make sure the time is synchronized between the LDAP server and webserver.
- Confirm if your browser settings and Internet options are configured for Kerberos SSO.
- If you are still facing this issue, feel free to contact us.