Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

            Tech Solutions

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help

Philadelphia Computer Tech Support
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

logged on. Once the user logs off, the hashed password is discarded. The LSA keeps a copy of the hashed
password in case the TGT expires; it then gives the Kerberos SSP a method of obtaining another TGT
without prompting the user to input a password. This allows this task to be smoothly accomplished in the
DNS Name Resolution
Microsoft Kerberos depends on the Domain Name System (DNS) to find an available KDC to send the initial
authentication request. All Windows 2000 domain controllers are KDCs, and the KDC is registered as
_kerberos._udp.nameofDNSdomain in the DNS service location record (SRV record). Clients can query for
this SRV record to locate the IP address for computers running the KDC service. A client that cannot find the
SRV record can query for a host record (A record), using the domain name.
If a Windows 2000 computer is a member of a different Kerberos realm (not a Windows 2000 domain) then
it cannot look for the SRV record. In this case, the name of the KDC server is stored in the registry of the
Windows 2000 computer. When the computer needs to locate the KDC, the Microsoft Kerberos SSP locates
the domain name for the KDC server from the registry and then uses DNS to find out the IP address for the
UDP and TCP Ports
When a client sends Kerberos messages to the KDC, it defaults to using User Datagram Protocol (UDP) port
88 as long as certain criteria are met. On an Ethernet network the Maximum Transmission Unit (MTU) that
can be carried is 1500 bytes. If the Kerberos message is smaller than 1472 bytes, Microsoft Kerberos uses
UDP as the transport mechanism. If the message is between 1473 bytes and 2000 bytes, IP fragments the
frame over UDP on port 88. If the Kerberos message is over 2000 bytes, it is sent by the Transmission
Control Protocol (TCP) on port 88. RFC 1510 states that UDP port 88 should be used for all Kerberos
messages, but since Microsoft Kerberos messages may very well be more than 2000 bytes, because user and
group SIDs are included, Microsoft also uses TCP port 88. A draft revision to RFC 1510 has been submitted
to the Internet Engineering Task Force (IETF) proposing the use of TCP port 88, but it has not been included
in the formal RFC yet. Interoperability should not be affected with other Kerberos realms; the
communications are between Windows 2000 computers only.
Authorization Data
Kerberos only verifies the identity of principals; it does authorize the resources they can use. A field is
available in Kerberos tickets for authorization data, but Kerberos does not control what information is placed
in the field or what should be done with the information.
KDC and Authorization Data
The authorization data field in a Microsoft Kerberos ticket contains a list of SIDs for the user, including
group SIDs. This information is retrieved by the KDC from the Active Directory and placed in the TGT
given to the client. When the client requests a session ticket (or service ticket, in Microsoft parlance), the
KDC copies the data from the authorization data field of the TGT over into the session ticket. The
authorization data is signed by the KDC before the data is stored in the session ticket so that the LSA can
detect whether the data has been modified. The LSA checks each session ticket to ensure that the signature is
Services and Authorization Data
An access token is created after the credentials in a session ticket have been verified by the network server on
which the service resides. The PAC is extracted from the session ticket and is used to construct an
impersonation token that is used to access the service on the server. The impersonation token is presented to
the service, and as long as the information in the PAC matches the data contained in the Access Control List
(ACL) for the service, access is granted.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer