0

I'm aware that Kerberos can use PKI, PKI provides encryption and authentication, Kerberos is designed more for authentication than encryption, Microsoft implements the Kerberos KDC by "using Active Directory as its account database," and that Active Directory allows you to use certificates instead of passwords. So if you're using X.500 directories and PKI, why use Kerberos? Couldn't you keep X.500 for non-Kerberos tasks (e.g., group membership lookups with memberOf) and replace Kerberos with PKI?

mellow-yellow
  • 431
  • 5
  • 14
  • X.500 is only the directory part, it does not regulate how one system can login into another. – eckes Nov 19 '17 at 07:53
  • Kerberos is more extendable than PKI. For example, AD is extended to support smarkcard logon. Also Microsoft's kerberos implementation (i.e. AD) not only does authentication, but also (at least part of) authorisation (token info in TGT). – strongline Nov 20 '17 at 02:40

2 Answers2

0

Traditionally Identity Management in industrial environments is based on Directory Services (DS) X.500 standard. DS provides a hierarchical catalog of diffirent types of security principals: users, groups, computers, servers and other entities inside the network as you know. Windows Active Directory (AD) implements DS, PKI and other systems as a single infrastructure. AD uses Kerberos protocol to control authentication and access inside the network perimeter, between entities such as users and computers by Single Sign On principle. SSO in AD means that once the principal gets authenticated it uses a special Ticket to access service multiple times or multiple services. PKINIT extension was developed to link Kerberos and PKI within AD infrastructure. PKINIT was primarily designed to allow users to use smart-card as a login method in AD. But other entities in AD does not uses certificates to authenticate with Kerberos AFAIK.

You can not replace Kerberos with just PKI because Kerberos was designed as SSO authentication protocol between all type of principals, not just users. PKI was not designed for that. PKI is more for trust, integrity, document signature.

AleSil
  • 26
  • 3
0

Kerberos: The Network Authentication Protocol

The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection.

AD DS offers other services as alternatives to Kerberos. LDAP auth is common, and you mentioned x509 certificates.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32