Contact info for Tech Philly
Home  •  Contact  •  Services  •  Support

  login:        
  password:  
            Tech Solutions
     

PC Upgrades Upgrades
Data Recovery Data Recovery
Computer Repair, Maintenance, and update Maintenance
Security From Viruses, Hackers, and Spyware Security
Network Solutions Networks
Website Search Engine Optimization Google Rank Increase Websites
Computer Repair Philadelphia Gateway Compaq Custom Systems

  • Location Service
  • 24/7 Help
 
 

Philadelphia Computer Tech Support
 
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

logged on. Once the user logs off, the hashed password is discarded. The LSA keeps a copy of the hashed
password in case the TGT expires; it then gives the Kerberos SSP a method of obtaining another TGT
without prompting the user to input a password. This allows this task to be smoothly accomplished in the
background.
DNS Name Resolution
Microsoft Kerberos depends on the Domain Name System (DNS) to find an available KDC to send the initial
authentication request. All Windows 2000 domain controllers are KDCs, and the KDC is registered as
_kerberos._udp.nameofDNSdomain in the DNS service location record (SRV record). Clients can query for
this SRV record to locate the IP address for computers running the KDC service. A client that cannot find the
SRV record can query for a host record (A record), using the domain name.
If a Windows 2000 computer is a member of a different Kerberos realm (not a Windows 2000 domain) then
it cannot look for the SRV record. In this case, the name of the KDC server is stored in the registry of the
Windows 2000 computer. When the computer needs to locate the KDC, the Microsoft Kerberos SSP locates
the domain name for the KDC server from the registry and then uses DNS to find out the IP address for the
system.
UDP and TCP Ports
When a client sends Kerberos messages to the KDC, it defaults to using User Datagram Protocol (UDP) port
88 as long as certain criteria are met. On an Ethernet network the Maximum Transmission Unit (MTU) that
can be carried is 1500 bytes. If the Kerberos message is smaller than 1472 bytes, Microsoft Kerberos uses
UDP as the transport mechanism. If the message is between 1473 bytes and 2000 bytes, IP fragments the
frame over UDP on port 88. If the Kerberos message is over 2000 bytes, it is sent by the Transmission
Control Protocol (TCP) on port 88. RFC 1510 states that UDP port 88 should be used for all Kerberos
messages, but since Microsoft Kerberos messages may very well be more than 2000 bytes, because user and
group SIDs are included, Microsoft also uses TCP port 88. A draft revision to RFC 1510 has been submitted
to the Internet Engineering Task Force (IETF) proposing the use of TCP port 88, but it has not been included
in the formal RFC yet. Interoperability should not be affected with other Kerberos realms; the
communications are between Windows 2000 computers only.
Authorization Data
Kerberos only verifies the identity of principals; it does authorize the resources they can use. A field is
available in Kerberos tickets for authorization data, but Kerberos does not control what information is placed
in the field or what should be done with the information.
KDC and Authorization Data
The authorization data field in a Microsoft Kerberos ticket contains a list of SIDs for the user, including
group SIDs. This information is retrieved by the KDC from the Active Directory and placed in the TGT
given to the client. When the client requests a session ticket (or service ticket, in Microsoft parlance), the
KDC copies the data from the authorization data field of the TGT over into the session ticket. The
authorization data is signed by the KDC before the data is stored in the session ticket so that the LSA can
detect whether the data has been modified. The LSA checks each session ticket to ensure that the signature is
valid.
Services and Authorization Data
An access token is created after the credentials in a session ticket have been verified by the network server on
which the service resides. The PAC is extracted from the session ticket and is used to construct an
impersonation token that is used to access the service on the server. The impersonation token is presented to
the service, and as long as the information in the PAC matches the data contained in the Access Control List
(ACL) for the service, access is granted.
01 - 02 - 03 - 04 - 05 - 06 - 07 - 08 - 09 - 10 - 11 - 12 - 13 - 14 - 15 - 16 - 17 - 18 - 19 - 20 -

 
 
 
 
  Home Contact Data Recovery Search Engine Web Design/Hosting Networks

Serving the Philadelphia area with the best in tech service and support. 		     
  Related Info:
-Windows 'zero-day' flaw fixes released
G Data and Sophos launch temporary security patches to prevent criminals exploiting .LNK shortcut vulnerability Two software security companies today released temporary security patches for the Windows 'zero-day' vulnerability affecting all versions of the Microsoft operating system back to Windows 2000. The security flaw acknowledged by Microsoft can affect someone who simply opens a ...
-Microsoft: All Hotmail users could get update in a week
Microsoft on Tuesday said the "Wave 4" update to Hotmail has now been rolled out to 100 million users of the Windows Live e-mail service. "We expect to upgrade nearly all of our customers within the next week" Microsoft's Mike Schackwitz said in a blog post. Read about the new Hotmail features in my May report.
-Safari Extensions Now Available Through Browser Update [Safari
# safari Windows/Mac: Safari 5.0.1 is out and it's much more than just a bug fix. Installing the update activates Safari's new extensions platform which has roughly 100 extensions available through the Safari Extensions Gallery . More »
-CrossOver CrossOver Games 9.1 released
These utilities allow some Windows apps and games to run on a Mac without Windows itself. Major updates bring support for more apps and games as well as a core software update that includes more than 23000 changes.
-HP confirms Windows 7 and WebOS tablet plans
Hewlett-Packard will use Windows 7 in a tablet exclusively for enterprises while making a consumer-oriented unit based on WebOS Personal Systems Group executive Phil McKinney confirmed Wednesday at the annual AlwaysOn Stanford Summit.
-UPDATE: Gunman barricaded at Homestyle Inn in Manassas
It was not immediately clear if anyone had been injured but some windows were shot out at the Homestyle Inn at 9913 Cockrell Road said Manassas police spokesman William Goodman.
-Report Details Hottest IT Investments
Windows 7 desktop virtualization and unified computing lead the pack in Computer Economics' report. But investment in some other well-known technologies is stalled.
-How to run Windows and OS X on the same Mac
OS X or Windows? Run them both on the same machine without any trouble.
-UPDATE: Fontana man who died in police custody is identified
A man died in police custody after causing a disturbance in a neighborhood in the northwestern corner of Fontana in the early morning hours of July 26 according to the Fontana Police Department.
-Black Hat Conference Update: Expert Says Critical System Flaws are Dangerous
A Black Hat conference presenter on Wednesday said that security issues in critical infrastructures can affect almost every person. Post from: Daily Contributor Black Hat Conference Update: Expert Says Critical System Flaws are Dangerous
Updated 4 minutes ago.

Tech Philly Custom Systems Data Recovery Emergency Service Maintenance Network Service Onsite Service Repair Security Software Spyware Upgrades Viruses Website Design Website Hosting Wireless Computer