1

There are 3 things that I don't fully understand about kerberos.

  1. Let's say that we are adding new server to an AD Domain. KDC creates a shared secret for this server and how is this key send securly to the server?

  2. There is a user who is a member of AD domain. User have his secret key (password) and he is changing it - how is it securly pass to KDC to update it's database?

  3. Since each DC can (or maybe must) have KDC, is the KDC database replicated between each DC? If yes, how is this secured?

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
varrimatrass
  • 67
  • 5

1 Answers1

1

Each principal in AD (user, machine, service, trust object) has a password, and each of those objects has a few different hash types of this password (MD4, AES, DES, etc.). The hashed value is used as a symmetric key for authentication. Authentication generally produces a session key for transport encryption.

So...

  1. When joining the device to the domain another account is used to set up a secure channel. That secure channel lets the device submit it's own device password. The device then periodically changes it's password when the KDC asks it to (via expiration window).
  2. The user is authenticated normally which produces a session key. This session key encrypts the change password request, which contains the cleartext password. The KDC can decrypt the request because it knows the session key, and attempts the password change, generating the various hashes for the account.
  3. Generally yes all data is synchronized, but in some cases such as read-only DC's only a subset of the data is synchronized. This is primarily just a function of database replication. Each DC has it's machine secret, and authenticates to it's peer DC. The authentication produces a session key, which is used to protect the replication traffic.
Steve
  • 392
  • 2
  • 7