Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Microsoft implementation of Kerberos ([RFC4120], [MS-KILE]) uses TDOs to retrieve cross-domain passwords when building cross-realm ticket-granting ticket (TGT). The KDC supports the following AuthTypes:
TRUST_AUTH_TYPE_CLEAR
This flag indicates that the information stored in the attribute is a Unicode plaintext password. If this AuthType is present, Kerberos can then use this password to derive additional key types needed to encrypt and decrypt cross-realm TGTs:
DES-CBC ([RFC4120] section 8.1)
DES-CRC [RFC4120]
RC4HMAC [RFC4757]
Other derivations of the plaintext password are possible using the string-to-key functionality defined in [RFC3961]. It is important to note that if the trustType is set to TRUST_TYPE_MIT, then RC4HMAC keys will not be derived for the trust unless the corresponding TDO's trustAttribute includes the TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION bit flag.
In Windows Server 2008 operating system and later, if KERB_ENCTYPE_RC4_HMAC_MD5 (4) is set in the msDs-supportedEncryptionTypes attribute, then the MIT realm supports RC4.
TRUST_AUTH_TYPE_NT4OWF
This flag indicates that the key is stored as a raw RC4HMAC key [RFC4757]. Because the key was precomputed with this AuthType, it is not possible to derive alternate key types for the TDO.
Kerberos' usage of the TDO keys is somewhat counterintuitive. Consider the following scenario involving two trusting Active Directory domains, where a user in a primary domain wishes to authenticate to a service in the trusted domain using Kerberos. The primary domain issues a referral TGT to the trusted domain containing the service.
Figure 5: Kerberos protocol usage of keys
There is a one-way trust in place. The referral TGT issued by the primary domain is encrypted based on the key in trustAuthIncoming, not trustAuthOutgoing. This is non-intuitive but fits the definition of an inbound trust. This direction of trust allows Kerberos to build a TGT for the trusted domain in the primary domain, fulfilling the definition of an inbound trust.