Published on LinkedIn: Kerberos and Windows 2012: Our Favorite Monster Is Changed (Again)


I have just published an Active Directory / Kerberos dedicated post on LinkedIn. Here you can read the introductive paragraph

Kerberos and Windows 2012: Our Favorite Monster Is Changed (Again) Since Windows Server 2000, Kerberos protocol has been part of our day-to-day job. Its three heads (Key Distribution Center, the client user and the server hosting resources) are the gears that enable the single sign-on (SSO) used to authenticate on the domain and to access resources inside our corporate network. It works also outside our network boundaries, reaching the Cloud with DirSync and other additional features. Kerberos_1 Windows Server 2012 and Windows Server 2012 R2 have improved some existing features and have added some completely new scenarios related to security. A short list should include Dynamic Access Control(DAC), Kerberos Armoring / Flexible Authentication Secure Tunneling (FAST), KDC Proxy Service and Kerberos Constrainded Delegation. I will use some high level scenarios, to explain what’s new and why you should care about the aforementioned list. The objective here is not to give you the tech details, but just an idea of cool things you could achieve using Windows 2012.

Going Beyond Limitations in NTFS Our system to manage files and folders on a server has (basically) not changed since Windows NT 4. We create users and groups, assign permissions to them and manage sharing and exceptions, Meanwhile, we are trying to keep security alligned with organizations that change on a daily base. Windows 2012 has introduced KDC support for claims and the capability to categorize resources on our servers. To make an example, it is now possible to:

  • Have a ticket from the KDC including a user claim like “He worked in this company for over 3 years”
  • Authenticate this claim with an external authority
  • Have an automated classification of files and folders so that some contents are accessible only to people that have worked in the aforementioned company for more than 3 years

When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control. Server resources can receive as many classifications (tags) as we need and you are able to manage access using user claims and resource tags inside regular expressions. Just some notes related to DAC:

  • Claims are supported also for devices (a Windows 8 client is required)
  • Resource classification is usable also to apply auditing and encryption with Rights Management Services
  • At least one Windows 2012 Domain Controller is required
  • DAC permissions are applied after the more traditional security related to shares and NTFS, so they are an additional security layer

Continue on LinkedIn…..