Kerberos authentication in Windows NT 5.0 domains

Abstract

Enterprise networks using Windows NT are growing in size and complexity. Windows NT 5.0 uses the Kerberos Version 5 authentication protocol and the Active Directory for network security in Windows NT domains. The Windows NT implementation of the Kerberos Version 5 protocol is based on RFC 1510, which has gone through a wide industry review and is well known in the security community [1]. Kerberos authentication provides many features that support performance and security objectives for Enterprise networks. Microsoft's implementation will support any RFC 1510-compliant clients, but will be required for full support of Windows NT networks because the Microsoft version includes permitted extensions to the standard. Windows NT 5.0 integrates the Kerberos protocol into the existing Windows NT distributed security model. Windows NT uses the extensibility features of the protocol, as have other security architectures, such as DCE and SESAME [2]. The Kerberos protocol is just one of the security protocols supported in Windows NT 5.0. Others include NTLM for backward compatibility, SSL and the IETF standard Transport Layer Security (TLS) for public-key authentication, Simple Protected Negotiation (SPNEGO) of security mechanisms, and IP security (IPsec) for network layer security using either shared-key or public-key authentication.