I think T�ns hit it pretty dead on. The main differences with MS-Kerberos have to do with the PAC, which is essentially a "ticket" to access resources. In a Windows NT 4.0 domain, for example, you authenticate to the PDC/BDC, and then try to access a resource. Once you request a resource, the server providing the resource will ask the PDC/BDC for verification of your authentication credentials. This creates redundant traffic, and exposes many security holes. In this scenario, you are giving your username and password to the server. This is inherently unsafe. This server could be "masquerading" on the network just to record your credentials. Instead of doing this, kerberos tickets are like passes. In a concert, you may have a pass that allows you to go backstage, and you just need to flash your pass, rather than looking everything up. Without other measures, each still suffer from a big security hole. Even with encrypted authentication methods, you do not need the password. You could record the protocol in operation, and then "replay" it to gain access to resources. The PAC is time based. It takes the current timestamp and uses it in the encryption process. It is only valid for a certain period of time, and then is discarded from that point on. So, the main benefits of kerberos are reduced traffic, and better security. I hope this helps, and I hope I was clear enough.
Dustin Network+, MCP(x3) ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
