Single Sign-On Kerberos Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hello. Now we'll talk a little bit more about
00:00
how Kerberos is like the carnival I described earlier,
00:00
but this will be a little bit more technical.
00:00
You log into the server, your domain controller.
00:00
That domain controller is
00:00
actually running a service called
00:00
the authenticating service or the AS.
00:00
When I sit down and login,
00:00
my login credentials are sent
00:00
to the authenticating service.
00:00
In exchange for proving my authenticity,
00:00
the authenticating service gives me something
00:00
>> called the TGT or ticket granting ticket.
00:00
>> That's like my wrist strap at the carnival.
00:00
That's what I get for coming in the proper way.
00:00
That TGT stays with
00:00
me throughout my duration in the domain or the realm,
00:00
and it proves that I came in
00:00
the proper way. It's a token.
00:00
Now, let's say I want to print to server A.
00:00
In the background, what is happening is that I'm
00:00
basically going to something
00:00
called the ticket granting service or TGS.
00:00
>> I'm saying here's my TGT,
00:00
>> I want to print to server A.
00:00
The TGS sees that I have a TGT and gives me
00:00
a ticket to print to server A.
00:00
>> I get my ticket, I send my print job to the printer,
00:00
>> and all is well.
00:00
>> Now, let's say I want to access
00:00
something from the database service.
00:00
Do I have to go back through the authenticating
00:00
service and re-log in?
00:00
No. I have to go back to the ticket booth or the TGS.
00:00
Just like the carnival,
00:00
it's one-time through the admissions booth
00:00
or authenticating service,
00:00
and many times to the ticket booth or TGS.
00:00
That is Kerberos.
00:00
This is great because we don't have to keep
00:00
proving our credentials over and over.
00:00
Then ultimately what happens is that we keep
00:00
this token with us for the duration of our login,
00:00
and we just simply need to carry
00:00
the ticket granting service or
00:00
a ticket each time we want to go access new services.
00:00
The ticket granting service and
00:00
the authenticating service are
00:00
two rules that are running on the same system.
00:00
The system that houses the TGS and the AS is
00:00
called the KDC or key distribution center.
00:00
The TGS plus the AS equals the KDC.
00:00
That's really at the heart of Kerberos.
00:00
Kerberos isn't perfect. Nothing is.
00:00
It's very time sensitive,
00:00
which is actually a good thing.
00:00
It mitigates the risk of replay attacks,
00:00
but at the same time,
00:00
all of your clocks on the network have to be
00:00
synchronized within five minutes of each other.
00:00
Otherwise, you'll find that
00:00
certain clients can't log
00:00
in and you'll get a Kerberos error.
00:00
Also, the ticket granting ticket
00:00
is stored locally on your workstation.
00:00
If your workstation gets compromised,
00:00
then someone else could have access to
00:00
resources as if they were you.
00:00
Now, if your KDC is hacked,
00:00
that's a big deal because the key distribution center
00:00
is your ultimate list of passwords and all credentials.
00:00
So all security is lost.
00:00
That's a single point of failure.
00:00
It can also be a performance bottleneck.
00:00
Finally, it is still
00:00
vulnerable to password guessing attacks.
00:00
Kerberos doesn't do anything to prevent that,
00:00
but it is still considered worth those
00:00
risks that way you can have single sign-on.
00:00
To review, Kerberos is
00:00
a network authentication protocol and operates on
00:00
port 88 and it uses symmetric cryptography.
00:00
That's something you might see on the test.
00:00
You can expect to see several questions
00:00
on the exam about Kerberos in
00:00
general because it's
00:00
a very important protocol and service.
Up Next