Highest Voted 'kerberos' Questions - IT Security Stack Exchange

37

votes

5 answers

Why do I need Kerberos when I could just use a username and password to access services?

I have read that Kerberos is used for authenticating users who wish to access services on various servers in an enterprise network, but I still do not understand the purpose of Kerberos. Why doesn't the system admin just create a user account for…

asked Jul 20 '16 at 19:17

Minaj

1,536
2
14
23

28

votes

2 answers

Kerberos vs. LDAP for authentication -- which one is more secure

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment? And Can we switch between them transparently?

authentication kerberos ldap

asked Jan 02 '16 at 16:52

Ijaz Ahmad

1,592
1
11
20

16

votes

2 answers

Kerberos authentication over the public internet

What are the threats to having the KDC accessible via the internet for remote clients? It's my understanding that the authentication is a challenge/response protocol and that the password is never transmitted. Are brute force attacks the reason…

authentication firewalls kerberos

asked Sep 05 '13 at 01:20

Richard Salts

363
1
2
11

15

votes

2 answers

Does the Kerberos KDC know the users' plaintext passwords?

In http://www.freebsd.org/doc/handbook/kerberos5.html section 15.7.8.3 “The KDC is a Single Point of Failure” you can read: By design, the KDC must be as secure as the master password database is contained on it. The KDC should have absolutely no…

passwords kerberos

asked Jun 08 '12 at 21:29

mgd

555
2
5
9

13

votes

1 answer

SAML and kerberos what to use where

I came across SAML and kerberos, both are used to establish identity using assertions (tickets) so is there an overlap in their use ? Can somebody highlight their differences and point which technology is a better fit where. thanks update to add…

authentication kerberos saml

asked Feb 11 '14 at 18:07

mzzzzb

269
1
2
6

12

votes

1 answer

Are there any reasons for Kerberos being based on symmetric cryptography?

Kerberos is an authentication protocol that is famously built using only symmetric ciphers. As a direct result of this, there are several attacks possible, such as AS-REP Roasting AS-REQ Roasting Kerberoasting Silver Tickets Golden Tickets While…

kerberos

asked Mar 13 '20 at 12:06

user163495

9

votes

2 answers

Preventing LSASS from storing clear-text passwords in Kerberos environment

It is a well known security risk that LSASS stores clear-text passwords if a user has performed a keyboard-interactive logon on a machine - be it local login to his/her workstation or using RDP to a remote workstation. There is also a classic fix to…

authentication windows rdp kerberos

asked Jul 10 '13 at 09:03

Konrads

589
1
5
15

9

votes

2 answers

What's the difference between Radius and Kerberos?

Is Radius just a better version of Kerberos? I can't find anything about this. If you set up a Radius server in a modern network do you need Kerberos at all?

kerberos radius

asked May 24 '16 at 17:02

User104163

409
2
6
11

8

votes

1 answer

Kerberos Attacks Questions

It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details. My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough. Anyway, here are the…

passwords windows attacks password-cracking kerberos

asked Dec 24 '18 at 15:12

Trigosin Darom

81
1

7

votes

1 answer

Relative merits of Heimdal and MIT Kerberos?

What are the relative advantages of Heimdal and MIT Kerberos now MIT is freely exportable? Ones I've come across so far that might be relevant to my particular project is that it seems MIT supports constrained delegation in the GSS-API layer and…

kerberos gssapi

asked Aug 16 '13 at 13:42

armb

622
4
9

7

votes

2 answers

Implications of having a service account in AD use RC4 rather than AES for Kerberos?

Bear with me, I know this is sloppy, but here is the back story: We have a partner that uses Jira and is using spnego with a custom auth back-end that expects certain group membership in the token. Assuming the presented token meets the…

aes active-directory kerberos rc4

asked Jan 17 '13 at 02:36

MDMarra

325
3
13

7

votes

1 answer

Connecting via SPNEGO/Kerberos out from domain

Is it possible to authenticate to SPNEGO/Kerberos server in domain A with an account from the same domain (obviously) when the client is connecting from computer in one of the following (quite similar) situations: client is authenticated to domain…

authentication kerberos

asked Oct 23 '15 at 12:09

Pavel Horal

171
6

7

votes

2 answers

Kerberos - what can an attacker achieve from a replay attack?

On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the server can verify a message is fresh, and that…

kerberos

asked Dec 27 '11 at 14:14

hmmm...

6

votes

3 answers

Is SESAME really used in Europe?

I am looking at a text that mentions that the Secure European System for Applications in a Multi-vendor Environment (SESAME) was designed to address some of Kerberos weakness, with enhancements such as: Use of asymmetric cryptography Distributed…

access-control kerberos cissp

asked Apr 28 '14 at 01:55

ixe013

1,912
15
20

6

votes

2 answers

Can a Kerberos application server offer to proxy connections to the KDC?

As I understand it, when a client wants to authenticate to an application server using Kerberos it must first request a service ticket from the KDC (and possibly a ticket-granting-ticket if it does not already have one). For scenarios where the…

kerberos

asked Feb 01 '21 at 19:24

9072997

233
1
8

Questions tagged [kerberos]