Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

            Tech Solutions

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help

Philadelphia Computer Tech Support
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

Contents of a Microsoft Kerberos Ticket
There are additional items contained in Microsoft Kerberos tickets that are not in other Kerberos
implementations tickets. Windows 2000 uses Security Identifiers (SIDs) just as in previous versions of
Windows NT. SIDs are used to represent user accounts and groups. The SID for a user, along with any SIDs
for the groups the user belongs to, is included in tickets used by the client and is known as the Privilege
Attribute Certificate (PAC). The PAC is not the same thing as a public key certificate. The userís name, also
known as User Principal Name, is added to the ticket as UPN:name@domain. For example, is placed in a ticket to identify the user Stace.
Delegation of Authentication
Kerberos supports two methods of delegation: proxiable tickets and forwardable tickets. Microsoft Kerberos
provides support for forwardable tickets only, and the default Kerberos policy for Windows 2000 domains
assigns this permission only to members of the Domain Admins group. It can be provided to individual users
by modifying the userís account from Active Directory Users and Computers. To access user accounts in
Active Directory, click Start, highlight Programs, highlight Administrative Tools, and click Active Directory
Users and Computers. The account option for enabling delegation is available on the Account tab of a userís
properties, as shown in Figure 3.12. An account option is also available to not allow the acceptance of
delegated credentials.
Figure 3.12 This is the way to enable a user account for delegation of authentication.
In Kerberos authentication, some of the messages have a preauthentication field. Microsoft Kerberos uses
preauthentication in domains by default. The data contained in this field is the encrypted timestamp of the
client. If it is necessary, preauthentication can be turned off for user accounts on an individual basis, as
shown in Figure 3.13. It may be necessary to turn off preauthentication if you are integrating Microsoft
Kerberos with other variations of the Kerberos protocol.
Figure 3.13 This is the way to disable a preauthentication for a user account.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer