Single Sign-On Kerberos Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Okay, welcome back.
00:00
Now we'll talk about how
00:00
authentication works on most networks.
00:00
On most networks, you have single sign-on.
00:00
Basically, what that means is I'm able to
00:00
log in and provide my credentials one time,
00:00
and then I'm able to stay on the domain or in
00:00
the realm as long as my token hasn't expired.
00:00
But ultimately, I don't have to keep logging in
00:00
over and over for each resource I want to access.
00:00
For example, if I want to use the printer,
00:00
I don't have to log in again.
00:00
That is thanks to a protocol called Kerberos.
00:00
It's really both a protocol and a service.
00:00
This idea of a single sign-on on
00:00
our local domain has a lot of pros.
00:00
I was around in the peer-to-peer days
00:00
when you had a log on separately
00:00
to every system that had
00:00
a resource that you wanted to have access to.
00:00
That's a lot of usernames and passwords
00:00
>> to keep up with. We have that on the Internet
00:00
>> today for all the sites
00:00
that you go on to on the internet.
00:00
But at least in our work domain,
00:00
you don't have to log in for everything separately,
00:00
and you have single sign-on.
00:00
It's also easier for administrators,
00:00
because there's a single database
00:00
with usernames and passwords,
00:00
and is easier to create,
00:00
modify, and delete user accounts.
00:00
Now, the downside is that if I
00:00
have a centralized authentication server,
00:00
then you have a single point of failure.
00:00
We have to have an environment that accepts that
00:00
if I log onto the main controller one,
00:00
that it has to have all the applications
00:00
I need access to,
00:00
and it needs to follow certain standards
00:00
to make that possible.
00:00
The other thing is that if someone gets my password,
00:00
then they get access to everything.
00:00
But we've decided that the pros
00:00
outweigh the cons with the single sign-on.
00:00
Life is much better,
00:00
much easier, and more
00:00
secure in a single sign on environment.
00:00
Remember that it's Kerberos that allows
00:00
us to have single sign-on in our internal network.
00:00
Then we see SAML and
00:00
OpenID Connect as a means of extending
00:00
that single sign on out to
00:00
other organizations with whom we have federated trust.
00:00
Then you can extend single
00:00
sign-on into various tools that you'd like to use,
00:00
such as Microsoft 365, Salesforce,
00:00
and all types of other tools,
00:00
but let's focus on Kerberos for now.
00:00
This is a network authentication protocol.
00:00
It's going to be used in your internal network,
00:00
and it's a protocol and a service.
00:00
By the way, it uses port 88.
00:00
I always remember that because
00:00
there are 88 keys on a piano,
00:00
and keys and Kerberos both start with ke or ke.
00:00
Maybe that will help you remember it also.
00:00
Kerberos has been around for a long time.
00:00
It uses symmetric encryption
00:00
and you need to remember that.
00:00
This makes sure that users and
00:00
services are both authenticated.
00:00
You get some mutual authentication.
00:00
It's also very time sensitive,
00:00
and that's one of the ways we minimize
00:00
the risk of replay attacks.
00:00
Let's talk about how Kerberos works.
00:00
I like to think about the Carnival I
00:00
used to go to when I was a kid,
00:00
and how it relates to how Kerberos works.
00:00
I'm going to use that as my analogy to help explain it.
00:00
Now, once a year the carnival would come to town,
00:00
and they'd set up a big fence
00:00
around where the carnival ball was set up.
00:00
That was the carnival realm,
00:00
and I could not wait to get in it.
00:00
I remember that on Wednesday nights,
00:00
the admission was cheaper because they were
00:00
trying to get people to come on that night.
00:00
I would show up at the admission booth on
00:00
Wednesday night and I
00:00
paid to get into the carnival realm.
00:00
That would only give me the ability to get in,
00:00
it didn't not cover the price of
00:00
any rides or activities I wanted to do.
00:00
For that, you had to buy tickets.
00:00
All you got for the price of admission was
00:00
a wrist strap that they put on
00:00
you to show that you paid to get in.
00:00
If you had that, you could go to
00:00
the ticket booth to buy tickets
00:00
for all the other things you wanted to do.
00:00
If you didn't have a wrist strap,
00:00
they wouldn't sell you tickets to
00:00
the rides and other activities.
00:00
It turns out that the wrist strap is pretty important,
00:00
it proves that you came in the proper way.
00:00
Before I was old enough to go to the carnival alone,
00:00
I always went with my mom.
00:00
Now, my mom is a lovely lady,
00:00
but she is tight with money.
00:00
As a matter of fact, I had this vision of her going
00:00
into her room and counting
00:00
out her money like Scrooge McDuck,
00:00
because she is tight with a coin.
00:00
Back at the carnival,
00:00
if I wanted to go on a ride,
00:00
my mom wouldn't just give me 20 dollars so I could buy
00:00
all the tickets I wanted and
00:00
ride all the wild rides that I wanted.
00:00
No, she would give me
00:00
the minimum amount that I would
00:00
have to ride one thing at a time.
00:00
Each time I wanted to ride something different,
00:00
I'd have to go and ask her for more money.
00:00
Then I'd have to go back to
00:00
the ticket booth to get tickets for that ride.
00:00
I only had to go through the admission gate one time,
00:00
but I had to go back to the ticket booth many times.
00:00
The point I wanted to make here is that you
00:00
come into the carnival through the admission booth.
00:00
When you come in properly and pay
00:00
your admission, you get a wrist strap.
00:00
That wrist strap proves that you come in
00:00
correctly and allows you to buy tickets.
00:00
For each ride you want to ride,
00:00
you have to buy tickets.
00:00
That means you may have to go back to the ticket booth.
00:00
Every time you have to show
00:00
your wrist strap to buy more tickets.
00:00
That's exactly how Kerberos works.
00:00
We'll talk more about that next.
Up Next