Lets start with a short introduction. In the early 1980s, a project at MIT called "Athena" was trying to improve system authentication methods. The goal was to deter hackers from monitoring network sessions and capturing passwords. Kerberos uses encryption to authenticate users wishing to gain access to network resources. Kerberos uses a shared key for authentication. This key is shared between the Kerberos client (in this case a Windows 2000 workstation) and the Kerberos server.
The way it works is like this. When a client wants to access a resource on the network, the client will request authentication from the server. The server will then create two copies of the session key (also known as the shared key). The server then sends this key to the client in an encrypted message. This message contains the client's private key and the resource server's encrypted private key (the resource server is the resource the clients wants to access). This message is also encrypted with a time stamp to prevent a hacker from capturing the session and playing back. With this information, the client sends the session key to the resource server. The resource server can now decrypt the message using it's private key. Because the server and the client share the same session key, they can now communicate.
One of the main benefits of using Kerberos is that it provides a single sign-on capability using SSPI (Security Service Application Programming Interface) standard. In a Windows 2000 environment, the user logon session uses Kerberos instead of the Windows NT "challenge/response" LanMan protocol. If your network has Windows NT or Windows 95/98 clients, you will need to support the NT LanMan authentication protocol. The support for LanMan is enabled by default. If you don't need it (all of your machines are Windows 2000) then you can turn it off.
What about Microsoft's Kerberos enhancements? The version of Kerberos in Windows 2000 has been "enhanced" by Microsoft. For one thing, the initial user authentication is done using public key certificates instead of the standard shared secret keys. This enhancement allows Windows 2000 to perform interactive logons using smart cards. These cards act as cryptographic peripherals to store authentication credentials for network logon and remote access.
This was first published in April 2001