Windows NT uses a proprietary authentication scheme, NT LAN Manager ( NTLM ) Challenge-Response. With the introduction of Windows 2000, Microsoft changed the default authenication to their version of Kerberos, a public domain authentication scheme developed at MIT (Massachusetts Institute of Technology) as part of Project Athena.
Windows 2000 uses Version 5 of Kerberos as defined by RFC 1510. To be standard, Kerberos implementations use the API library described in RFC 1964, the Kerberos Version 5 Generic Security Service Application Programming Interface ( GSS-API ) Mechanism. Microsoft chose to not use the GSS-API directly, but instead, Windows 2000 uses a similar set of functions they developed.
Windows 2000 supports Kerberos and NTLM for authenication. Legacy, legacy, legacy support - the key to Microsoft's security problems. Because the authentication mechanism is designed to be as transparent as possible, it isn't obvious whether Kerberos or NTLM is used. In general, Windows 2000 uses Kerberos in the following circumstances:
- Authenticating users logging on to Windows 2000 domain controllers
- Authenticating users logging on to Windows 2000 servers and workstations that are members of a Windows 2000 domain
- Authenticating users logging on to standalone Windows 2000 servers and workstations
- Authenticating users accessing a Windows 2000 server or workstation from a Win9x client or NT client configured with the Active Directory add-on
NTLM authentication is used in the following instances:
- Authenticating users logging on to Windows 2000 servers and workstations that are members of an NT domain (or accessing an NT domain from a Windows 2000 domain via a trust relationship
- Authenticating users accessing a Windows 2000 server or workstation from an NT server or workstation
- Authenticating users accessing a Windows 2000 server from a standard Windows 9x, Win 3.1x client, or OS/2 client
- Secure Socket Layer
- Microsoft NT LAN Manager
- Password Authentication Protocol and Shiva PAP
- Challenge Handshake Authentication Protocol (CHAP) and Microsoft CHAP
- Extensible Authentication Protocol
- Remote Authentication Dial-In User Service (RADIUS)
- Certificate services
Windows 2000 Kerberos Authentication
Windows® 2000 implements Kerberos version 5 with extensions for public key authentication. The Kerberos client is implemented as a security provider through the Security Support Provider Interface. Initial authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain’s Active DirectoryTM service as its security account database. This white paper examines components of the protocol and provides detail on its implementation. Downloadable 143K
Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility
"discovered an API that lets you enumerate and manipulate the ticket cache. This was even better than good documentation because I was able to do my own research to discover the nuts and bolts of the delegation mechanism. It also got me thinking about how tickets work in general, which I’ll also discuss."
Windows 2000 Kerberos Interoperability
The Windows® 2000 operating system implements the standard Kerberos network authentication protocol to improve security and interoperability. While new to Windows, the Kerberos protocol is not new and has been implemented on a number of operating system platforms. This paper describes common scenarios for interoperability between Windows 2000 and other Kerberos implementations. Downloadable 104K