Kerberos and Microsoft products ? - Kerberos

This is a discussion on Kerberos and Microsoft products ? - Kerberos ; Hi, I have just been told by a company (name of company is anonymous) that they were recently told by Microsoft, that in the next version of Windows, Kerberos will be removed and replaced by something else instead. This suggests ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos and Microsoft products ?

  1. Kerberos and Microsoft products ?

    Hi,

    I have just been told by a company (name of company is anonymous) that
    they were recently told by Microsoft, that in the next version of
    Windows, Kerberos will be removed and replaced by something else
    instead. This suggests that Active Directory will no longer be a
    Kerberos server, and Windows will not use Kerberos to authenticate users
    to domain controllers ?

    My question is, has anybody else been told the same ? Is this a
    missunderstanding, or based on fact ?

    Thanks, Tim

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos and Microsoft products ?

    I do not think that is correct.

    I am certain that they will use kerberos however it is in my
    opinion very likely that they will change their kerberos
    infrastructure to rely significantly on
    digital certificates and the new pkinit draft/standard instead of user
    passwords and preauthentication.

    I.e. they will probably make changes to kerberos but not get rid of
    kerberos instead they will use pkinit+kerberos.

    Speculation:
    I would not be surprised if they also do things like stuff the PAC
    inside the pkinit fields/certificate instead of inside the
    authorization data fields and if they also modify the kdc to take the
    PAC and other autorization data from within the AS-REQ and put it
    inside the krbtgt ticket it sends back and that the client in
    further tgs-req and also ap-req also contains a copy of that data.

    It would provide an interesting side channel where they could provide
    authorization data from the certificate all the way to the AP-REQ sent
    to a service.

    I bet there are very interesting features that such a mechanism would provide.

    (at elast that is what i would do instead of only using pkinit as a
    vehicle for pre authentication)



    On 10/21/05, Tim Alsop wrote:
    > Hi,
    >
    > I have just been told by a company (name of company is anonymous) that
    > they were recently told by Microsoft, that in the next version of
    > Windows, Kerberos will be removed and replaced by something else
    > instead. This suggests that Active Directory will no longer be a
    > Kerberos server, and Windows will not use Kerberos to authenticate users
    > to domain controllers ?
    >
    > My question is, has anybody else been told the same ? Is this a
    > missunderstanding, or based on fact ?
    >
    > Thanks, Tim
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread