Click here to get back home

is objectSid the kerberos long term key of a principal?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
is objectSid the kerberos long term key of a principal? x_coder 07-16-2005
Get Chitika Premium
Posted by x_coder on July 16, 2005, 3:29 pm
Please log in for more thread options
 Hi,
Is objectSid from the active directory database the long term kerberos
key of a server principal that is used to decrypt kerberos tickets?

Thanks
Lyle



Posted by Roger Abell on July 18, 2005, 8:27 am
Please log in for more thread options
 objectSID is the guid (globally unique identifier) for the object of
which it is a property.
I thought that Kerberos dynamically managed its keys, changing
them, rather than having a "long term" key for any of the
participating principals.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> Hi,
> Is objectSid from the active directory database the long term kerberos
> key of a server principal that is used to decrypt kerberos tickets?
>
> Thanks
> Lyle
>




Posted by x_coder on July 18, 2005, 12:54 pm
Please log in for more thread options
Hi,
Kerberos creates keys on the fly for a particular session... but there
is always one long term key specific to a principal... with out this,
the KDC would not be able to distribute session specific keys (the
principal needs to know how to decode his ticket and he does this based
on his long term key)

Thanks
Lyle



Posted by Dean Wells [MVP] on July 20, 2005, 9:29 am
Please log in for more thread options
If memory serves, the long-term key is (at least when using symmetric
authentication) derived from the user's password. I believe it is
something along the lines of -

1. digest clear text password
2. salt resulting digest of step #1 with user's UPN
3. digest result of step #2

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

x_coder@hotmail.com wrote:
> Hi,
> Is objectSid from the active directory database the long term kerberos
> key of a server principal that is used to decrypt kerberos tickets?
>
> Thanks
> Lyle




Similar ThreadsPosted
Security Best Practices; combining server roles (long) February 19, 2007, 10:02 am
format of service principal name (SPN) April 25, 2006, 9:42 am
sharePoint and kerberos November 6, 2005, 5:35 pm
IPSec and Kerberos September 27, 2006, 10:17 am
Kerberos delegation December 7, 2006, 12:53 pm
[Q] Kerberos DES encryption April 20, 2007, 6:11 am
Kerberos headache February 1, 2008, 7:33 am
LSASS & Kerberos Documentation July 8, 2005, 11:35 am
Kerberos/ASP/Delegation/W2K3 July 19, 2005, 2:24 pm
How to set up Kerberos authentication? (some code :) August 18, 2005, 2:55 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap