Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

            Tech Solutions

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help

Philadelphia Computer Tech Support
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

Within tickets, the proxy and forwarded flags are used in situations in which a client connects to one server
and that server connects to another server to complete the transaction for the client. This is known as
delegation of authentication. Kerberos operates using tickets, so the first server must have a ticket to connect
to the second server. Proxy and forwarded flags operate on different principles, and they must be specifically
allowed in the Kerberos realm policy.
Proxy tickets operate on the priniciple that the client knows the name of the second server that will be
contacted. If the policy for the Kerberos realm allows proxy tickets, then the KDC sets the proxiable flag in
the TGT it sends to the client. When the client requests a ticket for server two, it sets the flag stating that it
wants a proxy ticket and includes the name of server one, which is the server that will act on behalf of the
client. The KDC generates the ticket for server two, sets the proxy flag, and sends it to the client. The client
then sends the ticket to server one, which uses the ticket to access server two on behalf of the client. Figure
3.5 shows the process for proxy tickets.
Figure 3.5 These are the steps used for proxy tickets.
If the client does not know the name of server two, it cannot request a proxy ticket. This is where forwarded
tickets are used. Forwarded tickets operate on the principle that the client gives server one a TGT that it can
use to request tickets for other servers when necessary. The client requests a forwardable TGT from the KDC
notifying the KDC the name of the server, in this case server one, that is authorized to act on behalf of the
client. The KDC generates the forwardable TGT for server one and sends it back to the client. The client then
sends the forwardable TGT to server one. When server one wants to contact another server such as server
two, it sends the client’s TGT to the KDC. The KDC detects that the TGT is forwardable, so it creates a
forwarded ticket for server two and sends the ticket to server one. Server one can then use that ticket to
access server two on behalf of the client. Figure 3.6 shows the steps taken for forwarded tickets.
Figure 3.6 These are the steps used for forwarded tickets.
Kerberos and Windows 2000
The Kerberos implementation in Windows 2000 is called Microsoft Kerberos because Microsoft added its
own extensions. Microsoft Kerberos only authenticates the identity of the user, it does not authorize access.
After the identity of the user has been verified by Microsoft Kerberos, then the Local Security Authority
(LSA) authorizes or denies access to the resource.
For Managers Only
How Microsoft Kerberos Interoperates with Other Kerberos Implementations
A key concern for managers planning on implementing Windows 2000 into their existing networks that
utilize Kerberos is the interoperability of the different flavors of Kerberos. Microsoft has tested various
scenarios between Microsoft Kerberos and the Massachusetts Institute of Technology (MIT) implementation
of Kerberos. Their findings are:
• Clients that are not Windows based can authenticate to a Windows 2000 KDC.
• Windows 2000 systems can authenticate to the KDC in an MIT-based Kerberos realm.
• Windows 2000 client applications can authenticate to Kerberos services running on systems that are
not Windows-based as long as the service supports the GSS-API. Windows 2000 uses the Security
Support Provider Interface that is compatible with the GSS-API.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer