Thankyou for your email, and I would also like to thank others who
responded to this question.

I conclude that the company which told me about 'Microsoft moving away
from Kerberos in their future products' must have missunderstood the
response from Microsoft, or the Microsoft employee involved
missunderstood the question asked by the customer ? Maybe Microsoft said
something like "We are moving away from userid+password based
authentication of users, which is implemented using Kerberos, in favour
of two-factor authentication". This could, be missinterpreted to mean
that Kerberos was not going to be used anymore, but in fact this is not
the case, and the answer might have been better qualified to avoid this
confusion ... I can understand how somebody who has limited technical
awareness of Kerberos and MS usage of it, can get confused if they enter
into a discussion about this subject. It is clear that Kerberos in
Microsoft products is 'here to stay' in future products, but will be
used in combination with other related, and complimentary standards,
such as PKINIT, and possibly other standards as they become available in
the future.

Thanks again,


-----Original Message-----
From: ronnie sahlberg []
Sent: 21 October 2005 23:32
To: Tim Alsop
Subject: Re: Kerberos and Microsoft products ?

I do not think that is correct.

I am certain that they will use kerberos however it is in my
opinion very likely that they will change their kerberos
infrastructure to rely significantly on
digital certificates and the new pkinit draft/standard instead of user
passwords and preauthentication.

I.e. they will probably make changes to kerberos but not get rid of
kerberos instead they will use pkinit+kerberos.

I would not be surprised if they also do things like stuff the PAC
inside the pkinit fields/certificate instead of inside the
authorization data fields and if they also modify the kdc to take the
PAC and other autorization data from within the AS-REQ and put it
inside the krbtgt ticket it sends back and that the client in
further tgs-req and also ap-req also contains a copy of that data.

It would provide an interesting side channel where they could provide
authorization data from the certificate all the way to the AP-REQ sent
to a service.

I bet there are very interesting features that such a mechanism would

(at elast that is what i would do instead of only using pkinit as a
vehicle for pre authentication)

On 10/21/05, Tim Alsop wrote:
> Hi,
> I have just been told by a company (name of company is anonymous) that
> they were recently told by Microsoft, that in the next version of
> Windows, Kerberos will be removed and replaced by something else
> instead. This suggests that Active Directory will no longer be a
> Kerberos server, and Windows will not use Kerberos to authenticate

> to domain controllers ?
> My question is, has anybody else been told the same ? Is this a
> missunderstanding, or based on fact ?
> Thanks, Tim
> ________________________________________________
> Kerberos mailing list

Kerberos mailing list