Okay, let's take a look at authentication in the domain environment.
What we're trying to do is bring in something called single sign on
when we talk about single sign on. The idea is that when we log on to the domain at any point in time, first thing in the morning, then that grants access to all the objects in the domain that we have permission to.
I don't have to log in every time that I want to access the printer. I don't have to log into this file server, then log into the database server.
You take that for granted today that that's just how it is. You log on to the domain, you have domain resources,
but that isn't how it always has been.
One of the tools that really allows us to work is Kerber. Ross
Kerberos is a network authentication, protocol and service that we will look at in just a few minutes.
Now. If we want to extend that idea beyond just our local domain and log in a single time at our organization and then be able to access many resources throughout the Internet, then that's going to require Federated Services,
Federated services are trust that are pre configured ahead of times that authentication credentials can be passed back and forth.
We're going to look at that when we look at S a M L. And we're going to look at open ID Connect as well.
So the pros and cons of single sign on definitely easier to use for users. I don't want to have to keep track of 1500 passwords.
I just want to have a single set of credentials, log in and get access to the resources I need.
It's actually better for an administrator because they only have a single account database that they have to manage. And they have that central control.
Everybody is logging into the same database. I control the password list. I control the protections, the policies, so much better control.
Of course, the downside is we have a single point of failure
If the domain controller fails and we can't access the domain,
not to mention the fact that if my single set of credentials gets compromised, an attacker would get keys to the kingdom. They have everything that can be accessed with a single set of keys.
Supposing some cons,
but we really decided that the benefits outweigh the costs of the single sign on.
That's the environment that we work with. Like we said on the Internet, we really have to strive to get there. So that's a single set of credentials, will give me access to everything I need.
We're not there yet, but that's the goal,
and that's the direction we're headed towards.
Kerberos is a single sign on technology. It's both a protocol and a service.
Those of you keeping chocolate ports, its port 88 if I remember correctly, 88 keys on a piano and Carrboro starts with K Eat.
I don't know why, but I've always remembered it that way.
The goal here is single sign on to the domain
now. We don't really get into cryptography in this class, but there's something called symmetric cryptography.
Symmetric cryptography means that we're what's encrypted with a key has to be decrypted with the same key.
There's only one key that's used both to encrypt and decrypt data.
We're not going to get into the encryption and decryption activities here. We're just really focusing on authenticity.
Encourage. Boris does use encryption as well to give us additional protection.
Now to explain Kirby Ross, I want to take you back to my childhood. I heard up in Greensboro, North Carolina. This is actually a pretty dull place to grow up. If you're a kid,
there's not a lot of actions shaking down in Greensboro, North Carolina, acceptably April, the G Y C Carnival come to town. That's Greensboro Youth Council.
You know the carnival is coming to town because you drive past the Carolina Circle Mall. There would be a big white fence that just suddenly went up overnight. We knew that meant the carnival is coming. We knew that everything inside that white fence was where the carnival was going to be. Everything else was just the rest of the parking lot.
That weight fence set off the carnival realm from everything else. Inside was the realm. Outside was not the first night the carnival would open up was always on Wednesday, and we would go.
Usually. Admission to the carnival is pretty cheap, and they'd ask you to bring a couple of cans of food for their food drives so you could get your emission free.
We always look for the worst fans of food and cabinet.
Do we have any Can beats back there. Any sliced carrots anyway just takes me back to bringing can full of beats to the carnival. And we get in now. I'm in the carnival. Does that mean I can ride all the rides? No. It just means I'm in the realm.
What can you do in the realm?
Not much. Well, what I really want to do is ride the rides. When I say going through admission, what does that get us? What actually does get us is a wrist strap.
Do you remember the risk traps and carnival is the crowning fairies. Are they either paper or plastic? They aggravate use are always tugging at it. That proves that you came in through admission.
What? I really want our tickets. But if I go to the ticket booth and I try to buy a bunch of tickets and he doesn't see my wrist strap guide, the ticket booth says Nope. You must have jumped the fast go out and come back in the right way, and I'll sell you the tickets. The wrist strap really does is it shows I've come to the carnival. The cracked way, and it allows me to get what I really want, which are tickets.
I go back in, pay my money, have my wrist strap and go get my tickets.
Here's the thing. Before I was old enough to go on my own, I would go with my mom. My mom is a wonderful, lovely lady, but she was tied with a bunny.
My mother is not a spendthrift. By any stretch of the imagination I get in the carnival, they would sell these packs of tickets for $50. Nope. If I wanted to ride the Ferris wheel in the Ferris wheels. Three tickets. Do you know what I got? I got three sad little measly tickets. I went to the Ferris wheel. I rode the Ferris wheel. That was fun. I want to write again.
Nope. All right now, I want to ride the bumper cards back to the ticket booth. I get four tickets to ride the bumper cards. Then I want to ride the swings back to the ticket booth. My mother was not going to buy one ticket more than she had to come in through the admission booth. I get my wrist drop, which allows me to buy tickets, and we have to come through the admission booth one time
every time I want to ride a ride. I had to go back to the ticket booth. I get tickets for that ride back to the ticket booth. Go to the next ride. If I want to go back to the Ferris wheel later, I'd have to go back to the ticket booth and buy more tickets.
That is exactly how Kerberos works, except there are fewer Ferris wheels involved.
If we looked at Kerberos, the way this works is single sign on. I sit down on my laptop in the morning and I provide login credentials. Those credentials are correct. I get back a ticket granting ticket a tgt
that's like my wrist drop that proves I've authenticated.
Now I've got my TGT. I'm in the realm and I want to print to server I with my T g t. I send a request to the ticket granting service. The ticket granting service comes back and gives me a ticket for print server I and I send that ticket in the print job to the print server
later. If I want to access the database server or whatever other server. I go back to the ticket booth,
show them my T g t say I want to access the database server and the ticket granting service gives me my ticket. Okay, so it's one time through the authenticating server. Just once I provide my log in credentials. Many times I go back to the ticket granting server.
Those are the two main roles in Kerberos. You have the authenticating service if the ticket granting service when the two of those rules are combined, which they always are. Those are two services on the same system. That system is referred to as the K D. C.
Keep in mind that the Kerberos doesn't solve every problem. There's some other issues to be concerned with. Kerberos. One thing that's really important is time synchronization. Your clocks have to be synchronized within five minutes of each other, or you'll have systems that can't access the domain
that requires that we have some sort of synchronization of time. Often that's network time protocol NTP.
Another issue is your tickets are stored on your workstation. If your workstation is compromised and someone could forge your identity, that's pretty much true anyway, right? Once I'm sitting at your workstation, then I can impersonate you. The K D. C. Is that single point of failure. It's also extremely desirable for an attacker because that's where all the credentials are.
Also, Kerberos doesn't do anything to prevent guessing passwords, right? Kerberos, Just the last for single sign on. It doesn't fix every problem, but it's something that we've been using for years and years Windows and UNIX systems. It's been very successful, all things considered.