Kerberos Security

So far this chapter has covered the basics of AD DS security without discussing the actual mechanism that implements the security. The primary mechanism for delivering authentication in AD DS is the Kerberos protocol. This protocol was first developed by engineers at the Massachusetts Institute of Technology (MIT) in the late 1980s. The current version of Kerberos is version 5 (Kerberos 5), which is described in RFC 1510, “The Kerberos Network Authentication Service (V5).” The Windows Server 2008 implementation of Kerberos is fully RFC-1510 compliant, with some extensions for public key authentication.

Kerberos is the default authentication protocol for Windows 2000 and Windows Server 2003 Active Directory, and for Windows Server 2008 AD DS. Whenever a Windows 2000 or later client authenticates to Active Directory or AD DS, the client will always try to use Kerberos. The other protocol that can be used to authenticate to AD DS is NTLM, which is supported primarily for backward compatibility for older clients. Kerberos has a number of advantages over NTLM: