I thought that Micro$oft Kerberos is included in Win2000 and above. It may be a downloadable package, I'm not sure, I've not had to install it. MIT Kerberos is an add on that does not ship as part of the stock OS. I just saw a note that MIT Kerberos ships with NetBSD if I'm not mistaken. Not sure about the interoperability first hand, but in theory they should be compatible (with a little work) as they should conform to standard RFC 1510. In the UNIX world, there is SEAM (Solaris Enterprise authentication manager) on Solaris and DCE (Distributed Computing Environment) for IBM, linux installations use MIT. I've tested these installations with gssapi and for the most part they are compatible. It is interesting to note that IBM does not license their Kerberos solution directly, it is licensed as part of DCE. Here is a discussion about Kerberos Components in Win2000;
from http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dscd_aun_ctig.htm Kerberos Components in Windows 2000 Windows 2000 implements the KDC as a domain service. It uses Active Directory as its account database and gets additional information about security principals from the Global Catalog. As in other implementations of the Kerberos protocol, the KDC is a single process that provides two services. Authentication Service The authentication service issues TGTs that are good for admission to the ticket-granting service in its domain. Before network clients can get tickets for services, they must obtain a TGT from the authentication service in the user's account domain. Ticket-Granting Service The ticket-granting service issues tickets that are good for admission to other services in its own domain or for admission to the ticket-granting service of a trusted domain. When clients want access to a service, they must contact the ticket-granting service in the service's account domain, present a TGT, and ask for a session ticket. If the client does not have a TGT for admission to the ticket-granting service in the other domain, it must obtain one through the referral process that begins at the ticket-granting service in the user's account domain and ends at the ticket-granting service in the service's account domain. The KDC is located on every domain controller, as is the Active Directory service. Both services are started automatically by the domain controller's Local Security Authority (LSA) and run in the process space of the LSA. Neither service can be stopped. Windows 2000 ensures availability of these services by allowing each domain to have several domain controllers, all peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain's KDC. The security principal name used by the KDC in all Windows 2000 domains is krbtgt, as specified by RFC 1510. An account for this security principal is created automatically when a new Windows 2000 domain is created. The account cannot be deleted, nor can the account name be changed. A password is assigned to the KDC's account automatically; this password, like the passwords assigned to domain trust accounts, is changed on a regular schedule. The password for the KDC's account is used to derive a secret key for encrypting and decrypting the TGTs that the KDC issues. The password for a domain trust account is used to derive a Kerberos inter-realm key for encrypting and decrypting referral tickets. All instances of the KDC in a domain use the domain account for the security principal krbtgt. Clients address messages to a domain's KDC by including both the service's principal name (krbtgt) and the name of the domain. Both items of information are also used in tickets to identify the issuing authority. � 1985-2001 Microsoft Corporation. All rights reserved. Thanks, jonw Klingon wrote: > But as I understand it is not standard on any of these operating systems. > Lets say if I install win xp on my pc I wont have kerberos on it? If I want > kerberos I need to install it appart from windows? Is this correct? > > "Jonathan Wackley" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Klingon wrote: > > > > > Hi > > > > > > I am very new to the kerberos subject. I was wondering where it is used. > Is > > > it used in any of our standard windows operating systems like > > > 95,98,nt,me,2000,mx,xp? Or is it maby standard in any linux platforms > > > (which?)? If this isn't. Which people or organizations are glad to use > it > > > for all safety kinds (maybe nasa?,..... I really don't know actually)? > > > > > > This are a lot of questions at once, but can someone please explain me > some. > > > > > > Thx > > > > > > ________________________________________________ > > > Kerberos mailing list [EMAIL PROTECTED] > > > http://mailman.mit.edu/mailman/listinfo/kerberos > > > > I started with kerberos in January. The system as I understand it works > on > > most flavours of Windows, unix (including Linux) and Macintosh. The intro > page > > for KfW (Kerberos for Windows) is located at; > > > > http://web.mit.edu/is/help/kfw/ > > > > For an introduction into kerberos in general can be found at; > > > > http://web.mit.edu/kerberos/www/ > > > > In a nutshell, Kerberos is used as a replacement for standard > authentication. > > The standard authentication mechanisms generally suffer from defects that > can > > be exploited (Read: Hacked) to gain unauthorized access to an otherwise > secure > > system. Simply, it is a mechanism to have stronger security on machines > where > > the old password related programs are not enough. > > > > jonw > > > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > http://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
