Kerberos Authentication Sequence Across Trusts

 

Intro

Hey everyone, Ace again. This is a quick publish on how Kerb authentication works across a trust.

Here’s how it works (no shortcut trusts)

AD Trusts - Kerberos Authentication Sequence across a trust (from the PPT slide)

A user in the marketing.trimagna.com domains needs to gain access to a file share on a server called fileserver.sales.contoso.com domain. This is assuming the User has already logged on to a workstation using credentials from the marketing.trimagna.com domain. As part of the logon process, the authenticating domain controller issues the User a ticket-granting ticket (TGT). This ticket is required for User1 to be authenticated to resources.

The User attempts to access a shared resource on \\FileServer.sales.contoso.com\share.

The following Kerberos V5 authentication process occurs:

1. The User’s workstation asks for a session ticket for the FileServer server in sales.contoso.com by contacting the Kerberos Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer.sales.contoso.com service principal name (SPN).

2. The KDC in the user’s domain (marketing.trimagna.com) does not find the SPN for FileServer.sales.contoso.com in its domain database and queries the GC to see if any domains in the forest contain this SPN.

a. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

b. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in marketing.trimagna.com.

3. The KDC in the marketing.trimagna.com then issues the workstation a TGT for the contoso.com domain. This is known as a referral ticket.

4. The workstation then contacts the KDC in the trimagna.com tree root domain to request a referral to the KDC in the sales.contoso.com.

5. The KDC in the trimagna.com domain recognizes the user’s request to establish a session with a resource that exists in a foreign domain’s server.

a. The KDC then issues a TGT for the KDC in the contoso.com domain.

6. The workstation then presents the TGT for the sales.contoso.com domain to the KDC in the contoso.com domain.

7. The contoso.com KDC queries a GC to see if any domains in the forest contain this SPN. The GC checks its database about all forest trusts that exist in its forest. If a trust to the target domain is found, it compares the name suffixes listed in the forest trust trusted domain objects (TDOs) to the suffix of the target SPN to find a match.

a. Once a match is found, the global catalog sends the requested information as a referral back to the KDC in contoso.com.

8. The KDC issues a TGT for the sales.contoso.com domain.

9. The workstation then contacts the KDC of the sales.contoso.com domain and presents the referral ticket it received from its own KDC.

a. The referral ticket is encrypted with the interdomain key that is decrypted by the foreign domain’s TGS.

b. Note: When there is a trust established between two domains, an interdomain key based on the trust password becomes available for authenticating KDC functions, therefore it’s used to encrypt and decrypt tickets.

10. The workstation also presents the KDC in the sales.contoso.com the TGT it received from the KDC in contoso.com for the sales.contoso.com domain and is issued a ST (Session Ticket) for the sales.contoso.com domain.

a. The ST is populated with the domain local group memberships from the sales.contoso.com domain.

11. The user presents FileServer.sales.contoso.com the ST to the server to gain access to resources on the server in sales.contoso.com.

12. The server, FileServer.sales.contoso.com compares the SIDs include in the session ticket to the ACEs on the requested resource to determine if the user is authorized to access the resource. If there is, the user is permitted to access the resource based on the ACL permissions.

Shortcut Trust

If a shortcut trust exists from the sales.contoso.com domain to the marketing.trimagna.com domain, then the trust path will shortened, therefore the user authentication path will be direct between the two domains.

image

Additional Reading
Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx

Accessing resources across domains [and trusts]
http://technet.microsoft.com/en-us/library/cc787646(v=ws.10).aspx

============================================================

Summary

I hope this helps!

Published 9/20/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262 clip_image00462 clip_image00662 clip_image00862 clip_image01062 clip_image01262 clip_image01462

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.