Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

            Tech Solutions

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help

Philadelphia Computer Tech Support
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

Key Distribution Center
The KDC is integral to the operation of Kerberos, and Windows 2000 implements the KDC as a domain
service, as shown in Figure 3.7. The KDC uses Active Directory as the source of its account database (see
Chapter 4).
The KDC service, along with the Active Directory, is located on every Windows 2000 domain controller.
This allows each domain controller to accept authentication and ticket requests instead of depending on a
single KDC.
Figure 3.7 Kerberos Key Distribution Center runs as a service on Windows 2000 domain controllers.
Every Kerberos KDC has its own principal name. The name used in Windows 2000 is krbtgt, which follows
the guideline given in RFC 1510. When a Windows 2000 domain is created, a user account named krbtgt is
created for the KDC principal, as shown in Figure 3.8. This account is a built-in account, so it cannot be
deleted, renamed, or enabled for normal user use. Even though it appears that the account is disabled, in
reality it is being used by the KDC. An administrator who attempts to enable the account receives the dialog
box shown in Figure 3.9.
The password for the account is generated automatically by Windows 2000 and is changed automatically by
the system on a regular basis. The key used by the krbtgt account is based on its password, just like a normal
userís long-term key. The long-term key of krbtgt is used to encrypt and decrypt the TGTs it gives out. The
krbtgt account is used by all KDCs in a domain. For example, a Windows 2000 domain may have five
domain controllers, each of which has its own functioning KDC, but each of the KDCs uses the krbtgt
account. This allows each KDC to encrypt and decrypt TGTs using the same long-term key. A client knows
which KDC to communicate with because client computer queries the Domain Name System (DNS) for a
domain controller. After the client locates a domain controller, it sends the KRB_AS_REQ message to the
KDC service on that domain controller.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer