Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

  login:        
  password:  
            Tech Solutions
     

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help
 
 

Philadelphia Computer Tech Support
 
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

logged on. Once the user logs off, the hashed password is discarded. The LSA keeps a copy of the hashed
password in case the TGT expires; it then gives the Kerberos SSP a method of obtaining another TGT
without prompting the user to input a password. This allows this task to be smoothly accomplished in the
background.
DNS Name Resolution
Microsoft Kerberos depends on the Domain Name System (DNS) to find an available KDC to send the initial
authentication request. All Windows 2000 domain controllers are KDCs, and the KDC is registered as
_kerberos._udp.nameofDNSdomain in the DNS service location record (SRV record). Clients can query for
this SRV record to locate the IP address for computers running the KDC service. A client that cannot find the
SRV record can query for a host record (A record), using the domain name.
If a Windows 2000 computer is a member of a different Kerberos realm (not a Windows 2000 domain) then
it cannot look for the SRV record. In this case, the name of the KDC server is stored in the registry of the
Windows 2000 computer. When the computer needs to locate the KDC, the Microsoft Kerberos SSP locates
the domain name for the KDC server from the registry and then uses DNS to find out the IP address for the
system.
UDP and TCP Ports
When a client sends Kerberos messages to the KDC, it defaults to using User Datagram Protocol (UDP) port
88 as long as certain criteria are met. On an Ethernet network the Maximum Transmission Unit (MTU) that
can be carried is 1500 bytes. If the Kerberos message is smaller than 1472 bytes, Microsoft Kerberos uses
UDP as the transport mechanism. If the message is between 1473 bytes and 2000 bytes, IP fragments the
frame over UDP on port 88. If the Kerberos message is over 2000 bytes, it is sent by the Transmission
Control Protocol (TCP) on port 88. RFC 1510 states that UDP port 88 should be used for all Kerberos
messages, but since Microsoft Kerberos messages may very well be more than 2000 bytes, because user and
group SIDs are included, Microsoft also uses TCP port 88. A draft revision to RFC 1510 has been submitted
to the Internet Engineering Task Force (IETF) proposing the use of TCP port 88, but it has not been included
in the formal RFC yet. Interoperability should not be affected with other Kerberos realms; the
communications are between Windows 2000 computers only.
Authorization Data
Kerberos only verifies the identity of principals; it does authorize the resources they can use. A field is
available in Kerberos tickets for authorization data, but Kerberos does not control what information is placed
in the field or what should be done with the information.
KDC and Authorization Data
The authorization data field in a Microsoft Kerberos ticket contains a list of SIDs for the user, including
group SIDs. This information is retrieved by the KDC from the Active Directory and placed in the TGT
given to the client. When the client requests a session ticket (or service ticket, in Microsoft parlance), the
KDC copies the data from the authorization data field of the TGT over into the session ticket. The
authorization data is signed by the KDC before the data is stored in the session ticket so that the LSA can
detect whether the data has been modified. The LSA checks each session ticket to ensure that the signature is
valid.
Services and Authorization Data
An access token is created after the credentials in a session ticket have been verified by the network server on
which the service resides. The PAC is extracted from the session ticket and is used to construct an
impersonation token that is used to access the service on the server. The impersonation token is presented to
the service, and as long as the information in the PAC matches the data contained in the Access Control List
(ACL) for the service, access is granted.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

 
 
 
 
  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support. 		     
  Related Info:
-Webroot warns of fake Windows update scam (V3.co.uk via Yahoo! UK & Ireland News)
Security firm Webroot is warning internet users to be on the lookout for a malware attack masquerading as an official Windows update.
-Cybercrimals use fake Windows update to push bogus security software (Computer Weekly)
Cybercriminals are using a fake Windows Update installation dialogue box to sell a bogus security product called Anti-malware Defender security researchers have warned.
-Webroot warns of fake Windows update scam (vnunet.com)
David Neal V3.co.uk Thursday 11 March 2010 at 12:09:00 Convincing dialogue box likely to snare victims Security firm Webroot is warning internet users to be on the lookout for a malware attack masquerading as an official Windows update. The attack appears to relate to a number of out-of-band patches recently released by Microsoft. "The spy which serves as nothing more than a vehicle for a ...
-Windows 7 Service Pack 1 Rumors Fly (PC World via Yahoo! News)
Windows 7 has been officially available for less than five months. In that time it has established itself as the fastest-selling operating system in history--selling over 90 million copies. Despite that tremendous success Microsoft has to continue to update and evolve the platform which is why rumors and speculation are already beginning to mount regarding a Service Pack 1 (SP1) release.
-Microsoft fixes 8 flaws in Windows & Office (PC Advisor)
Software giant urges users to update now Microsoft has fixed eight flaws in Windows and Office but opted against patching one Windows component because it cannot be automatically updated.
-Move an ITunes Library From a Windows PC to a Mac (PC World)
As more people switch from Windows PCs to Macs they want to make sure they can move their digital lives from their old computers to their new ones.
-Microsoft may move up Windows 7 service pack release (TechWorld)
Rumours say SP1 might appear before the end of the year Even though Microsoft has dropped a plan to wait nearly two years after Windows 7's launch to issue a first service pack it won't deliver the update before the fourth quarter of this year a site that has accurately predicted past Windows timetables said today.
-Microsoft may move up Windows 7 service pack release (MalaysiaNews.net)
Even though Microsoft has dropped a plan to wait nearly two years after Windows 7's launch to issue a first service pack it won't deliver the update before the fourth quarter of this year a site tha...
-Report: Microsoft moves up Windows 7 SP1 release date (Network World)
Although Microsoft has dropped a plan to wait nearly two years after Windows 7's launch to issue a first service pack it won't deliver the update before late this year a site that has accurately predicted past Windows timetables said.
-Citrix tunes XenApp for Windows Server R2 (The Register)
App-V virtual embrace Citrix has unveiled XenApp 6 after re-architecting the product from the ground up to take full advantage of Microsoft's Windows Server 2008 R2.… Web threats: Why conventional protection doesn't work
Updated 662 minutes ago.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer