- Are there any books about it?(about kerberos in W2k, not about kerberos
generally)
"Programming Windows Security" by Keith Brown, chapter 7 is on Network
Authentication. This chapter (pages 255-308) covers NTLM, Kerberos v5,
Microsoft's SSPI, and SPENGO. Much more detailed information can be found on
MSDN but this books provides a pretty good, broad, summary of many topics.
- How to implement KDC(TGS) in W2k?
By definition, a Win2k Domain Controller is a KDC.
- How does KDC use Active Directory as a database?
A Win2k Domain Controller is both a KDC and an Active Directory server. AD
is the administrative interface to the KDC. E.g. all account creation and
modifications are made to AD, not through a separate protocol to the KDC.
- How to implement kerberos client(written in Java) in W2k?
In general, you should not program to a Kerberos API, instead you should
write to the GSSAPI. Microsoft's Windows specific equivalent is SSPI. Others
might recommend instead writing to SASL and then letting SASL negotiate to
GSSAPI. If you search on Google or other search engines for Java and GSSAPI
together you should find sufficient resources.
One problem is that you Java client will not likely use Kerberos for single
sign-on. A Java applet is not going to have access to the user's tickets
that were obtained when logging on to Win2k. You could probably modify CMU's
ms2mit.exe utility to copy the tgt from the native Microsoft cache to the
ticket cache used by a Java Kerberos/GSSAPI implementation and procedd from
there.
