1

I've got a nice O'Reilly book on Kerberos from our library, but it was last updated in 2003. I'm pretty sure there have been changes and improvements since then, especially with AD 2008. Are there newer books on Kerberos?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
jldugger
  • 14,122
  • 19
  • 73
  • 129
  • 1
    `changes and improvements since then` - not really, actually. – Shane Madden Jul 29 '11 at 18:26
  • I'm with Shane - pretty certain that the Kerb portions of AD haven't (and won't) change much - neither the LDAP portion. The schema, the replication, the defaults, the things that GPOs can do - those will change with every release and service pack. But the underlying comms protocols don't need a lot of fiddling-about-with. – mfinni Jul 29 '11 at 18:28

2 Answers2

3

Couple seconds on Google after I left my comment above: http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx

Microsoft's implementation of the Kerberos authentication protocol in Windows Vista and Windows Server 2008 includes the following features:

AES support

Improved security for Kerberos Key Distribution Centers (KDCs) located on branch office domain controllers

So, in other words, not much. Couple of differences in some implementation details, but Kerberos is still Kerberos, and will continue to be.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Actually, AES is pretty important to know about for my purposes. That is a surprisingly short list though. – jldugger Jul 29 '11 at 18:34
  • Sure, it could be important - but it's a change in the way MS implements their encryption of TGT and GSS messages- it's not an actual change to Kerberos, as such. – mfinni Jul 29 '11 at 19:14
1

Just to add to the knowledge pool there are some changes of default behaviour such as DES support is not on in Windows Server 2008 R2 onwards. See http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx

The answer's here will really depends on people's definition of "changes and enhancements". But books wise I use the old Oreilly kerberos book and look up details on 3rd party implementations on the net as applicable (e.g. Linux vedors for details on setting up KDC etc). Use your favorite search engine or vendor support pages depending on the Kerberos implementation if its not AD.

Would this video be something you'd find useful? http://channel9.msdn.com/Blogs/Darryl/Active-Directory-System-and-Security-Changes-in-Windows-2008-R2 Doesn't focus exclusively on Kerberos but does include the detail.

maweeras
  • 2,674
  • 2
  • 16
  • 23