Kerberos authentication

Kerberos, which started off as an MIT project, has grown in popularity to the point that it is now the default choice for enterprise authentication in a domain-based environment. It is considered to be fast (especially given the ability to cache and reuse tickets) and secure from a credential handling perspective, given that the User does not need to send the password over the network to authenticate. It is also open in a real sense, so as long as you can put the necessary keytabs (think of it as a key) in place, you can have a mixed Windows and Linux environment authenticating in perfect harmony.

Kerberos is a complex protocol (especially when you come across it for the first time), so to take this step by step, we will take a quick look at the components that need to be in place, and the flow, before looking at troubleshooting and a quick configuration checklist. This will give us a good base before we dive into the communication flow.

Kerberos parties

Kerberos authentication in the context of NetScaler involves the following three parties:

  • The users/clients
  • The KDC (Key Distribution Center) which has two subcomponents:
    • Authentication Service (AS) that looks for the User and returns a Ticket Granting Ticket, which you can in turn use to get session tickets.
    • Ticket Granting Service (TGS) that provides those session tickets
  • The NetScaler AAA vServer that authenticates the users, talks to the KDC, and obtains tickets on behalf of the users.

Kerberos uses TCP port 88.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.22.217.45