What is Kerberos?
Kerberos is new to Windows 2000 and is
"The hound of Hell. A three
headed Dog with a Snake for a tail; guarded the entrance to the kingdom of
Hades, the Underworld."
(and you wondered why the box was so big :-) ).
It replaces the Microsoft NTLM native communication for Windows 2000
computers but NTLM is still supported for compatibility with older NT 4, Windows
9x clients (as a side not NTLM version 2 is not supported in Windows 2000).
The idea is if two people know a secret they can communicate by encrypting a
message with the secret and if they both know the secret they know the other
person is who they say they are. The problem is the secret can’t be sent as
just text over the network as anyone with a network sniffer could find the
The Kerberos protocol solves this problem with secret key cryptography.
Rather than sharing a password, communication partners share a cryptographic key
which is symmetric in nature which means the single key can both encrypt and
To communicate one side send the other an encrypted message containing their
name and local time, the other machine then decrypts the packet with the
symmetric key and if the time is close to its time then the match is OK.
The diagram shows this where KJB is the symmetric key shared by John
The fact that time is part of the encryption technology is why Windows 2000
machines need to be time synchronized with a SNTP service.
But how is the shared key distributed if it can't be sent over the network?
See the next FAQ.
Windows Privacy Tools - http//www.privacywindows.com