775:
2170:
400:
27:
2180:
749:
The required client trust makes creating staged environments (e.g., separate domains for test environment, pre-production environment and production environment) difficult: Either domain trust relationships need to be created that prevent a strict separation of environment domains, or additional user
483:
Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user. If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message
383:
When the client needs to communicate with a service on another node (a "principal", in
Kerberos parlance), the client sends the TGT to the TGS, which is another component of the KDC and usually shares the same host as the authentication server. The service must have already been registered with the
721:
daemons are usually used to keep the host clocks synchronized. Note that some servers (Microsoft's implementation being one of them) may return a KRB_AP_ERR_SKEW result containing the encrypted server time if both clocks have an offset greater than the configured maximum value. In that case, the
712:
Kerberos has strict time requirements, which means that the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period, and if the host clock is not synchronized with the
Kerberos server clock, the authentication will fail. The default
625:
Kerberos is used as the preferred authentication method: in general, joining a client to a
Windows domain means enabling Kerberos as the default protocol for authentications from that client to services in the Windows domain and all domains with trust relationships to that domain.
763:(DES) cipher can be used in combination with Kerberos, but is no longer an Internet standard because it is weak. Security vulnerabilities exist in products that implement legacy versions of Kerberos which lack support for newer encryption ciphers like AES.
379:
secret key and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user's session manager while they are logged in.
488:. This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.
309:
A new edition of the
Kerberos V5 specification "The Kerberos Network Authentication Service (V5)" (RFC 4120). This version obsoletes RFC 1510, clarifies aspects of the protocol and intended use in a more detailed and clearer
578:. Using the sessions key, SS decrypts the Authenticator and compares client ID from messages E and G, if they match server sends the following message to the client to confirm its true identity and willingness to serve the client:
288:
Neuman and John Kohl published version 5 in 1993 with the intention of overcoming existing limitations and security problems. Version 5 appeared as RFC 1510, which was then made obsolete by RFC 4120 in 2005.
420:. Other credential mechanisms like pkinit (RFC 4556) allow for the use of public keys in place of a password. The client transforms the password into the key of a symmetric cipher. This either uses the built-in
703:
also feature
Kerberos support. Embedded implementation of the Kerberos V authentication protocol for client agents and network services running on embedded platforms is also available from companies .
555:
Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the
Service Server (SS). The client connects to the SS and sends the following two messages:
618:
additions to the
Kerberos suite of protocols are documented in RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols". RFC 4757 documents Microsoft's use of the
435:
The server receives the username and symmetric cipher and compares it with the data from the database. Login was a success if the cipher matches the cipher that is stored for the user.
388:. The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues a
736:
In case of symmetric cryptography adoption (Kerberos can work using symmetric or asymmetric (public-key) cryptography), since all authentications are controlled by a centralized
277:
prevented it from being exported to other countries. MIT created an exportable version of
Kerberos 4 with all encryption code removed, called "Bones". Eric Young of Australia's
521:, the TGS decrypts message D (Authenticator) and compares the client IDs from messages B and D; if they match, the server sends the following two messages to the client:
452:
The AS checks to see whether the client is in its database. If it is, the AS generates the secret key by hashing the password of the user found at the database (e.g.,
449:
message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)
1896:
2234:
1969:
814:
317:(GSS-API) specification "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2" (RFC 4121).
314:
1432:
629:
In contrast, when either client or server or both are not joined to a domain (or not part of the same trusted domain environment), Windows will instead use
265:
Kerberos version 4, the first public version, was released on
January 24, 1989. Since Kerberos 4 was developed in the United States, and since it used the
1165:
2204:
1321:
1294:
513:
Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the
1141:
743:
Each network service that requires a different host name will need its own set of
Kerberos keys. This complicates virtual hosting and clusters.
1826:
Abdelmajid, N.T.; Hossain, M.A.; Shepherd, S.; Mahmoud, K. (2010). "Improved Kerberos Security Protocol Evaluation using Modified BAN Logic".
594:
and checks whether the timestamp is correct. If so, then the client can trust the server and can start issuing service requests to the server.
1975:
274:
2126:
2036:
2025:
184:
communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a
2214:
1711:
691:
and others, include software for Kerberos authentication of users or services. A variety of non-Unix like operating systems such as
581:
Message H: The timestamp found in client's Authenticator (plus 1 in version 4, but not necessary in version 5), encrypted using the
1987:
1932:
1883:
636:
Internet web applications can enforce Kerberos as an authentication method for domain-joined clients by using APIs provided under
1097:
1049:
826:
729:
The administration protocol is not standardized and differs between server implementations. Password changes are described in
1893:
1843:
1816:
1674:"Novell Inc's Comment to the Proposed Settlement between Microsoft and the Department of Justice, pursuant to the Tunney Act"
1535:
Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
1398:
1244:
722:
client could retry by calculating the time using the provided server time to find the offset. This behavior is documented in
251:
39:
2114:
780:
1993:
325:. In 2007, MIT formed the Kerberos Consortium to foster continued development. Founding sponsors include vendors such as
1375:
Kohl, John T.; Neuman, B. Clifford; Ts'o, Theodore Y. (1994). "The Evolution of the Kerberos Authentication System". In
2219:
2065:
501:
Message C: Composed of the message B (the encrypted TGT using the TGS session key) and the ID of the requested service.
1416:
2229:
2209:
1556:
Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
1265:
979:
2224:
2138:
2120:
98:
2183:
2144:
1981:
1436:
808:
714:
293:
1612:
Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility
1190:
321:
MIT makes an implementation of Kerberos freely available, under copyright permissions similar to those used for
281:
reimplemented DES into Bones, in a version called "eBones", which could be freely used in any country. Sweden's
2049:
1799:
Bella, Giampaolo; Paulson, Lawrence C. (1998). "Kerberos Version IV: Inductive analysis of the secrecy goals".
259:
651:
utility that can be used to read, modify, or delete the Service Principal Names (SPN) for an Active Directory
345:
in Sweden, Stanford University, MIT, and vendors such as CyberSafe offering commercially supported versions.
342:
282:
192:âboth the user and the server verify each other's identity. Kerberos protocol messages are protected against
1514:
The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
1925:
303:
746:
Kerberos requires user accounts and services to have a trusted relationship to the Kerberos token server.
50:
740:(KDC), compromise of this authentication infrastructure will allow an attacker to impersonate any user.
680:
204:
193:
1770:
Neuman, B.C.; Ts'o, T. (September 1994). "Kerberos: an authentication service for computer networks".
2031:
1452:
1137:
504:
Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the
1211:
1118:
1070:
943:
258:. Its first version was primarily designed by Steve Miller and Clifford Neuman based on the earlier
1673:
1389:
915:
760:
672:
622:
cipher. While Microsoft uses and extends the Kerberos protocol, it does not use the MIT software.
266:
79:
2173:
2010:
1918:
1237:
737:
364:
212:
103:
1570:
Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy
2071:
1384:
1330:
938:
910:
869:
820:
648:
565:
Message G: A new Authenticator, which includes the client ID, timestamp and is encrypted using
173:
1198:
1105:
1057:
718:
189:
1719:
1343:
1303:
1276:
270:
8:
2060:
793:
208:
1957:
1849:
1787:
1758:
1363:
948:
417:
326:
2239:
1839:
1812:
1715:
1404:
1394:
1315:
1288:
1261:
1240:
975:
968:
952:
484:
A. With a valid password and secret key the client decrypts message A to obtain the
185:
181:
1791:
1367:
1085:
1035:
1853:
1831:
1804:
1779:
1762:
1748:
1355:
1182:
1089:
1039:
676:
453:
262:. Kerberos versions 1 through 3 were experimental and not released outside of MIT.
167:
137:
86:
1179:"Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos"
1963:
1900:
1678:
Civil Action No. 98-1232 (CKK): United States of America v. Microsoft Corporation
1376:
1255:
1231:
652:
471:
278:
235:
1694:
1658:
1651:
1644:
1637:
1630:
1626:
Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
1623:
1616:
1609:
1602:
1595:
1588:
1581:
1574:
1567:
1560:
1553:
1546:
1539:
1532:
1525:
1518:
1511:
1504:
1497:
1490:
1483:
1476:
723:
574:
The SS decrypts the ticket (message E) using its own secret key to retrieve the
2108:
2092:
1941:
788:
421:
255:
170:
91:
1828:
2010 10th IEEE International Conference on Computer and Information Technology
1408:
930:
Steiner, Jennifer G.; Neuman, Clifford; Schiller, Jeffrey I. (February 1988).
730:
498:
When requesting services, the client sends the following messages to the TGS:
341:, Centrify Corporation and TeamF1 Inc., and academic institutions such as the
2198:
614:
and later versions use Kerberos as their default authentication method. Some
197:
1549:
Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
528:(which includes the client ID, client network address, validity period, and
456:
in Windows Server) and sends back the following two messages to the client:
717:
requires that clock times be no more than five minutes apart. In practice,
611:
429:
425:
322:
1905:
1753:
1736:
846:
2155:
2087:
1835:
1598:
Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
254:(MIT) developed Kerberos in 1988 to protect network services provided by
26:
392:
and session keys to the client. The client then sends the ticket to the
296:(IETF) Kerberos working group updated specifications. Updates included:
1808:
1803:. Lecture Notes in Computer Science. Vol. 1485. pp. 361â375.
1528:
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
1417:"Kerberos Overview: An Authentication Service for Open Network Systems"
965:
330:
34:
1783:
1359:
1178:
2077:
1186:
1093:
1044:
615:
446:
338:
399:
2055:
1341:
230:
224:
216:
1647:
Kerberos Principal Name Canonicalization and Cross-Realm Referrals
1154:
1084:
Clifford, Neuman; Sam, Hartman; Tom, Yu; Kenneth, Raeburn (2005).
2042:
1910:
1542:
The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
700:
664:
1825:
114:
2150:
2132:
2103:
1873:
1695:"Designing an Authentication System: A Dialogue in Four Scenes"
1257:
Kerberos: Single Sign-on in gemischten Linux/Windows-Umgebungen
798:
334:
152:
2098:
803:
696:
688:
668:
239:
1500:
Advanced Encryption Standard (AES) Encryption for Kerberos 5
1453:"What is Kerberos Authentication?: Logon and Authentication"
146:
2020:
1999:
1887:
1868:
1699:
Humorous play concerning how the design of Kerberos evolved
1344:"Kerberos: An Authentication Service for Computer Networks"
966:
Elizabeth D. Zwicky; Simon Cooper; D. Brent (26 Jun 2000).
692:
637:
630:
590:
The client decrypts the confirmation (message H) using the
410:
1563:
Problem Statement on the Cross-Realm Operation of Kerberos
959:
155:
1877:
1702:
684:
619:
597:
The server provides the requested services to the client.
1274:
1591:
A Generalized Framework for Kerberos Pre-Authentication
1435:. learn-networking.com. 28 January 2008. Archived from
1003:
815:
Generic Security Services Application Program Interface
315:
Generic Security Services Application Program Interface
215:
during certain phases of authentication. Kerberos uses
1301:
970:
Building Internet Firewalls: Internet and Web Security
905:
Steiner, Jennifer G.; Geer, Daniel E. (21 July 1988).
898:
1493:
Encryption and Checksum Specifications for Kerberos 5
1132:
1130:
1128:
1083:
1015:
993:
991:
929:
158:
143:
1342:
B. Clifford Neuman; Theodore Ts'o (September 1994).
937:. Proceedings of the Winter 1988 USENIX Conference.
935:: An authentication service for open network systems
909:. Proceedings of the Winter 1988 Usenix Conference.
770:
517:
and the client ID (both are in the TGT). Using this
149:
1737:"Limitations of the Kerberos authentication system"
1605:
The Unencrypted Form of Kerberos 5 KRB-CRED Message
658:
562:, encrypted using service's Secret key by the TGS).
140:
1374:
1125:
1086:"The Kerberos Network Authentication Service (V5)"
1036:"The Kerberos Network Authentication Service (V5)"
988:
967:
886:
463:encrypted using the secret key of the client/user.
375:, which is time stamped and encrypts it using the
300:Encryption and Checksum Specifications (RFC 3961).
285:released another reimplementation called KTH-KRB.
1507:The Kerberos Network Authentication Service (V5)
1479:The Kerberos Network Authentication Service (V5)
1328:
750:clients need to be provided for each environment.
2196:
306:(AES) Encryption for Kerberos 5 (RFC 3962).
1735:Bellovin, S. M.; Merritt, M. (1 October 1990).
1734:
1383:. IEEE Computer Society Press. pp. 78â94.
601:
492:
2235:Massachusetts Institute of Technology software
1769:
633:for authentication between client and server.
1976:Java Authentication and Authorization Service
1926:
1254:Pröhl, Mark; Kobras, Daniel (14 April 2022).
643:Microsoft Windows and Windows Server include
416:A user enters a username and password on the
56:Version 5, Release 1.21 / 5 June 2023
2127:Protected Extensible Authentication Protocol
1798:
1661:AES Encryption with HMAC-SHA2 for Kerberos 5
706:
663:Many Unix-like operating systems, including
478:) encrypted using the secret key of the TGS.
2037:Challenge-Handshake Authentication Protocol
1654:An Information Model for Kerberos Version 5
1521:Kerberos Cryptosystem Negotiation Extension
1320:: CS1 maint: numeric names: authors list (
1293:: CS1 maint: numeric names: authors list (
1253:
1009:
904:
532:) encrypted using the service's secret key.
470:(TGT, which includes the client ID, client
407:The protocol is described in detail below.
222:The protocol was named after the character
1933:
1919:
1619:One-Time Password (OTP) Pre-Authentication
1304:"Basic Concepts for the Kerberos Protocol"
907:Network Services in the Athena Environment
245:
238:, the ferocious three-headed guard dog of
25:
1752:
1741:ACM SIGCOMM Computer Communication Review
1709:
1388:
1275:Lynn Root (May 30, 2013) (2 April 2013).
1043:
942:
914:
549:
1988:Simple Authentication and Security Layer
1680:. Department of Justice. 29 January 2002
1486:The Kerberos Version 5 GSS-API Mechanism
439:
411:User Client-based Login without Kerberos
398:
260:NeedhamâSchroeder symmetric-key protocol
1302:Microsoft TechNet 2017 (18 July 2012).
1260:(in German). dpunkt.verlag. p. 7.
1176:
558:Message E: From the previous step (the
358:The client authenticates itself to the
2205:Computer-related introductions in 1988
2197:
1692:
1577:Additional Kerberos Naming Constraints
1229:
1021:
997:
892:
853:
827:List of single sign-on implementations
1914:
1140:. Microsoft TechNet. 8 October 2009.
252:Massachusetts Institute of Technology
40:Massachusetts Institute of Technology
2179:
2115:Password-authenticated key agreement
1329:Resource Kit Team (7 January 2021).
1033:
781:Free and open-source software portal
606:
1994:Security Support Provider Interface
1455:. Microsoft TechNet. 8 October 2009
1433:"How Kerberos Authentication Works"
508:(found by the client in Message A).
13:
2133:Remote Access Dial In User Service
2066:Extensible Authentication Protocol
1940:
1665:
1640:Camellia Encryption for Kerberos 5
1138:"What Is Kerberos Authentication?"
474:, ticket validity period, and the
14:
2251:
2215:Computer access control protocols
1862:
1710:Hornstein, Ken (18 August 2000).
2178:
2169:
2168:
2139:Resource Access Control Facility
2121:Password Authentication Protocol
2026:Authentication and Key Agreement
1982:Pluggable Authentication Modules
1419:. Cisco Systems. 19 January 2006
1193:from the original on 2015-10-27.
1144:from the original on 2016-12-20.
1100:from the original on 2016-08-21.
1052:from the original on 2016-08-21.
773:
659:Unix and other operating systems
396:along with its service request.
275:U.S. export control restrictions
136:
16:Computer authentication protocol
2145:Secure Remote Password protocol
1906:Heimdal/Kerberos implementation
1177:Tom, Yu; Love, Astrand (2012).
1170:
1159:
1155:Setspn - Windows CMD - SS64.com
1148:
1077:
1027:
809:Secure remote password protocol
377:ticket-granting service's (TGS)
294:Internet Engineering Task Force
2050:Central Authentication Service
1801:Computer Security â ESORICS 98
1693:Bryant, Bill (February 1988).
1584:Anonymity Support for Kerberos
1331:"Microsoft Kerberos (Windows)"
1277:"Explain like I'm 5: Kerberos"
1233:Kerberos: The Definitive Guide
923:
862:
839:
353:
1:
1970:Generic Security Services API
1034:C., Neuman; J., Kohl (1993).
832:
343:Royal Institute of Technology
283:Royal Institute of Technology
2000:XCert Universal Database API
1772:IEEE Communications Magazine
602:Support by operating systems
493:Client Service Authorization
386:Service Principal Name (SPN)
373:ticket-granting ticket (TGT)
304:Advanced Encryption Standard
7:
1633:Kerberos Options for DHCPv6
766:
754:
348:
176:that works on the basis of
10:
2256:
360:Authentication Server (AS)
205:symmetric-key cryptography
2220:Computer network security
2164:
2032:CAVE-based authentication
2009:
1948:
1894:Kerberos Sequence Diagram
870:"Kerberos authentication"
847:"Kerberos 5 Release 1.21"
707:Drawbacks and limitations
592:Client/Server Session Key
583:Client/Server Session Key
576:Client/Server Session Key
567:Client/Server Session Key
537:Client/Server Session Key
530:Client/Server Session Key
211:, and optionally may use
109:
97:
85:
75:
71:
49:
45:
33:
24:
2230:Symmetric-key algorithms
2210:Authentication protocols
1381:Distributed open systems
761:Data Encryption Standard
673:Red Hat Enterprise Linux
267:Data Encryption Standard
2225:Key transport protocols
1166:Setspn | Microsoft Docs
1010:Pröhl & Kobras 2022
738:key distribution center
560:Client-to-server ticket
526:Client-to-server ticket
365:key distribution center
246:History and development
213:public-key cryptography
188:model, and it provides
104:Authentication protocol
58:; 15 months ago
2072:Host Identity Protocol
1884:Kerberos Working Group
1830:. pp. 1610â1615.
1379:; Johansen, D (eds.).
1230:Garman, Jason (2003).
1206:Cite journal requires
1113:Cite journal requires
1065:Cite journal requires
821:Host Identity Protocol
550:Client Service Request
541:Client/TGS Session Key
519:Client/TGS Session Key
515:Client/TGS Session Key
506:Client/TGS Session Key
486:Client/TGS Session Key
476:Client/TGS Session Key
468:Ticket-Granting-Ticket
461:Client/TGS Session Key
404:
1754:10.1145/381906.381946
719:Network Time Protocol
440:Client Authentication
403:Kerberos negotiations
402:
362:which is part of the
313:A new edition of the
190:mutual authentication
1836:10.1109/CIT.2010.285
1712:"Kerberos FAQ, v2.0"
1238:O'Reilly Media, Inc.
1869:Kerberos Consortium
1348:IEEE Communications
859:RFC 4556, abstract.
794:Identity management
539:encrypted with the
445:The client sends a
428:, depending on the
394:service server (SS)
390:service ticket (ST)
371:. The KDC issues a
209:trusted third party
203:Kerberos builds on
21:
1958:BSD Authentication
1899:2015-03-26 at the
1809:10.1007/BFb0055875
1722:on 3 December 2002
874:IONOS Digitalguide
405:
19:
2192:
2191:
1845:978-1-4244-7547-6
1818:978-3-540-65004-1
1784:10.1109/35.312841
1716:Secretary of Navy
1400:978-0-8186-4292-0
1377:Brazier, F. M. T.
1360:10.1109/35.312841
1281:Blog of Lynn Root
1246:978-0-596-00403-3
607:Microsoft Windows
418:client machine(s)
129:
128:
2247:
2182:
2181:
2172:
2171:
1935:
1928:
1921:
1912:
1911:
1857:
1822:
1795:
1766:
1756:
1731:
1729:
1727:
1718:. Archived from
1706:
1689:
1687:
1685:
1464:
1462:
1460:
1448:
1446:
1444:
1428:
1426:
1424:
1412:
1392:
1371:
1338:
1325:
1319:
1311:
1298:
1292:
1284:
1271:
1250:
1216:
1215:
1209:
1204:
1202:
1194:
1187:10.17487/RFC6649
1174:
1168:
1163:
1157:
1152:
1146:
1145:
1134:
1123:
1122:
1116:
1111:
1109:
1101:
1094:10.17487/RFC4120
1081:
1075:
1074:
1068:
1063:
1061:
1053:
1047:
1045:10.17487/RFC1510
1031:
1025:
1019:
1013:
1007:
1001:
995:
986:
985:
973:
963:
957:
956:
946:
927:
921:
920:
918:
902:
896:
890:
884:
883:
881:
880:
866:
860:
857:
851:
850:
843:
783:
778:
777:
776:
646:
454:Active Directory
168:computer-network
165:
164:
161:
160:
157:
154:
151:
148:
145:
142:
125:
122:
120:
118:
116:
87:Operating system
66:
64:
59:
29:
22:
18:
2255:
2254:
2250:
2249:
2248:
2246:
2245:
2244:
2195:
2194:
2193:
2188:
2160:
2012:
2005:
1964:eAuthentication
1950:
1944:
1939:
1901:Wayback Machine
1865:
1860:
1846:
1819:
1725:
1723:
1683:
1681:
1672:
1668:
1666:Further reading
1467:
1458:
1456:
1451:
1442:
1440:
1439:on 2 April 2015
1431:
1422:
1420:
1415:
1401:
1313:
1312:
1286:
1285:
1268:
1247:
1220:
1219:
1207:
1205:
1196:
1195:
1175:
1171:
1164:
1160:
1153:
1149:
1136:
1135:
1126:
1114:
1112:
1103:
1102:
1082:
1078:
1066:
1064:
1055:
1054:
1032:
1028:
1024:, pp. 7â8.
1020:
1016:
1008:
1004:
996:
989:
982:
964:
960:
944:10.1.1.112.9002
928:
924:
903:
899:
891:
887:
878:
876:
868:
867:
863:
858:
854:
845:
844:
840:
835:
779:
774:
772:
769:
757:
709:
661:
653:service account
644:
609:
604:
552:
495:
472:network address
442:
413:
356:
351:
279:Bond University
248:
236:Greek mythology
219:88 by default.
207:and requires a
139:
135:
113:
67:
62:
60:
57:
17:
12:
11:
5:
2253:
2243:
2242:
2237:
2232:
2227:
2222:
2217:
2212:
2207:
2190:
2189:
2187:
2186:
2176:
2165:
2162:
2161:
2159:
2158:
2153:
2148:
2142:
2136:
2130:
2124:
2118:
2112:
2109:OpenID Connect
2106:
2101:
2096:
2093:NT LAN Manager
2090:
2085:
2080:
2075:
2069:
2063:
2058:
2053:
2047:
2046:
2045:
2034:
2029:
2023:
2017:
2015:
2011:Authentication
2007:
2006:
2004:
2003:
1997:
1991:
1985:
1979:
1973:
1967:
1961:
1954:
1952:
1949:Authentication
1946:
1945:
1942:Authentication
1938:
1937:
1930:
1923:
1915:
1909:
1908:
1903:
1891:
1881:
1871:
1864:
1863:External links
1861:
1859:
1858:
1844:
1823:
1817:
1796:
1767:
1747:(5): 119â132.
1732:
1707:
1690:
1669:
1667:
1664:
1663:
1662:
1655:
1648:
1641:
1634:
1627:
1620:
1613:
1606:
1599:
1592:
1585:
1578:
1571:
1564:
1557:
1550:
1543:
1536:
1529:
1522:
1515:
1508:
1501:
1494:
1487:
1480:
1472:
1471:
1466:
1465:
1449:
1429:
1413:
1399:
1390:10.1.1.120.944
1372:
1339:
1326:
1299:
1272:
1266:
1251:
1245:
1226:
1225:
1224:
1218:
1217:
1208:|journal=
1169:
1158:
1147:
1124:
1115:|journal=
1076:
1067:|journal=
1026:
1014:
1002:
987:
980:
958:
922:
916:10.1.1.31.8727
897:
885:
861:
852:
837:
836:
834:
831:
830:
829:
824:
818:
812:
806:
801:
796:
791:
789:Single sign-on
785:
784:
768:
765:
756:
753:
752:
751:
747:
744:
741:
734:
727:
713:configuration
708:
705:
660:
657:
608:
605:
603:
600:
599:
598:
595:
588:
587:
586:
572:
571:
570:
563:
551:
548:
547:
546:
545:
544:
533:
511:
510:
509:
502:
494:
491:
490:
489:
481:
480:
479:
464:
450:
441:
438:
437:
436:
433:
422:key scheduling
412:
409:
355:
352:
350:
347:
319:
318:
311:
307:
301:
256:Project Athena
247:
244:
198:replay attacks
171:authentication
127:
126:
111:
107:
106:
101:
95:
94:
92:Cross-platform
89:
83:
82:
77:
73:
72:
69:
68:
55:
53:
51:Stable release
47:
46:
43:
42:
37:
31:
30:
15:
9:
6:
4:
3:
2:
2252:
2241:
2238:
2236:
2233:
2231:
2228:
2226:
2223:
2221:
2218:
2216:
2213:
2211:
2208:
2206:
2203:
2202:
2200:
2185:
2177:
2175:
2167:
2166:
2163:
2157:
2154:
2152:
2149:
2146:
2143:
2140:
2137:
2134:
2131:
2128:
2125:
2122:
2119:
2116:
2113:
2110:
2107:
2105:
2102:
2100:
2097:
2094:
2091:
2089:
2086:
2084:
2081:
2079:
2076:
2073:
2070:
2067:
2064:
2062:
2059:
2057:
2054:
2051:
2048:
2044:
2041:
2040:
2038:
2035:
2033:
2030:
2027:
2024:
2022:
2019:
2018:
2016:
2014:
2008:
2001:
1998:
1995:
1992:
1989:
1986:
1983:
1980:
1977:
1974:
1971:
1968:
1965:
1962:
1959:
1956:
1955:
1953:
1947:
1943:
1936:
1931:
1929:
1924:
1922:
1917:
1916:
1913:
1907:
1904:
1902:
1898:
1895:
1892:
1889:
1885:
1882:
1879:
1875:
1874:Kerberos page
1872:
1870:
1867:
1866:
1855:
1851:
1847:
1841:
1837:
1833:
1829:
1824:
1820:
1814:
1810:
1806:
1802:
1797:
1793:
1789:
1785:
1781:
1777:
1773:
1768:
1764:
1760:
1755:
1750:
1746:
1742:
1738:
1733:
1721:
1717:
1713:
1708:
1704:
1700:
1696:
1691:
1679:
1675:
1671:
1670:
1660:
1656:
1653:
1649:
1646:
1642:
1639:
1635:
1632:
1628:
1625:
1621:
1618:
1614:
1611:
1607:
1604:
1600:
1597:
1593:
1590:
1586:
1583:
1579:
1576:
1572:
1569:
1565:
1562:
1558:
1555:
1551:
1548:
1544:
1541:
1537:
1534:
1530:
1527:
1523:
1520:
1516:
1513:
1509:
1506:
1502:
1499:
1495:
1492:
1488:
1485:
1481:
1478:
1474:
1473:
1469:
1468:
1454:
1450:
1438:
1434:
1430:
1418:
1414:
1410:
1406:
1402:
1396:
1391:
1386:
1382:
1378:
1373:
1369:
1365:
1361:
1357:
1353:
1349:
1345:
1340:
1336:
1332:
1327:
1323:
1317:
1309:
1305:
1300:
1296:
1290:
1282:
1278:
1273:
1269:
1267:9783960888512
1263:
1259:
1258:
1252:
1248:
1242:
1239:
1235:
1234:
1228:
1227:
1222:
1221:
1213:
1200:
1192:
1188:
1184:
1180:
1173:
1167:
1162:
1156:
1151:
1143:
1139:
1133:
1131:
1129:
1120:
1107:
1099:
1095:
1091:
1087:
1080:
1072:
1059:
1051:
1046:
1041:
1037:
1030:
1023:
1018:
1011:
1006:
999:
994:
992:
983:
981:9781565928718
977:
972:
971:
962:
954:
950:
945:
940:
936:
932:
926:
917:
912:
908:
901:
894:
889:
875:
871:
865:
856:
848:
842:
838:
828:
825:
822:
819:
816:
813:
810:
807:
805:
802:
800:
797:
795:
792:
790:
787:
786:
782:
771:
764:
762:
748:
745:
742:
739:
735:
732:
731:RFC 3244
728:
725:
720:
716:
711:
710:
704:
702:
698:
694:
690:
686:
682:
678:
674:
670:
666:
656:
654:
650:
641:
639:
634:
632:
627:
623:
621:
617:
613:
596:
593:
589:
584:
580:
579:
577:
573:
568:
564:
561:
557:
556:
554:
553:
542:
538:
534:
531:
527:
523:
522:
520:
516:
512:
507:
503:
500:
499:
497:
496:
487:
482:
477:
473:
469:
465:
462:
458:
457:
455:
451:
448:
444:
443:
434:
431:
427:
423:
419:
415:
414:
408:
401:
397:
395:
391:
387:
381:
378:
374:
370:
367:
366:
361:
346:
344:
340:
336:
332:
328:
324:
316:
312:
308:
305:
302:
299:
298:
297:
295:
292:In 2005, the
290:
286:
284:
280:
276:
272:
268:
263:
261:
257:
253:
243:
241:
237:
233:
232:
227:
226:
220:
218:
214:
210:
206:
201:
199:
195:
194:eavesdropping
191:
187:
186:clientâserver
183:
179:
175:
172:
169:
163:
133:
124:
112:
108:
105:
102:
100:
96:
93:
90:
88:
84:
81:
78:
74:
70:
54:
52:
48:
44:
41:
38:
36:
32:
28:
23:
2082:
1827:
1800:
1778:(9): 33â38.
1775:
1771:
1744:
1740:
1724:. Retrieved
1720:the original
1698:
1682:. Retrieved
1677:
1457:. Retrieved
1441:. Retrieved
1437:the original
1421:. Retrieved
1380:
1351:
1347:
1335:MSDN Library
1334:
1308:MSDN Library
1307:
1280:
1256:
1232:
1199:cite journal
1172:
1161:
1150:
1106:cite journal
1079:
1058:cite journal
1029:
1017:
1012:, p. 7.
1005:
1000:, p. 7.
974:. O'Reilly.
969:
961:
934:
931:
925:
906:
900:
895:, p. 5.
888:
877:. Retrieved
873:
864:
855:
841:
758:
662:
649:command-line
642:
635:
628:
624:
612:Windows 2000
610:
591:
582:
575:
566:
559:
540:
536:
529:
525:
518:
514:
505:
485:
475:
467:
460:
430:cipher-suite
426:one-way hash
406:
393:
389:
385:
382:
376:
372:
368:
363:
359:
357:
320:
310:explanation.
291:
287:
264:
249:
229:
223:
221:
202:
177:
131:
130:
35:Developer(s)
2088:LAN Manager
1354:(9): 33â8.
1022:Garman 2003
998:Garman 2003
893:Garman 2003
535:Message F:
524:Message E:
466:Message B:
459:Message A:
384:TGS with a
354:Description
273:algorithm,
2199:Categories
1960:(BSD Auth)
1459:7 December
1409:1191406172
879:2022-08-25
833:References
667:, Apple's
331:Apple Inc.
271:encryption
76:Written in
63:2023-06-05
2117:protocols
2078:IndieAuth
2013:protocols
1726:15 August
1684:15 August
1657:RFC
1650:RFC
1643:RFC
1636:RFC
1629:RFC
1622:RFC
1615:RFC
1608:RFC
1601:RFC
1594:RFC
1587:RFC
1580:RFC
1573:RFC
1566:RFC
1559:RFC
1552:RFC
1545:RFC
1538:RFC
1531:RFC
1524:RFC
1517:RFC
1510:RFC
1503:RFC
1496:RFC
1489:RFC
1482:RFC
1475:RFC
1443:15 August
1423:15 August
1385:CiteSeerX
953:222257682
939:CiteSeerX
911:CiteSeerX
817:(GSS-API)
616:Microsoft
447:plaintext
339:Microsoft
180:to allow
121:/kerberos
2240:Cerberus
2174:Category
2135:(RADIUS)
2083:Kerberos
2061:Diameter
2056:CRAM-MD5
1972:(GSSAPI)
1897:Archived
1792:45031265
1368:45031265
1316:cite web
1289:cite web
1191:Archived
1142:Archived
1098:Archived
1050:Archived
933:Kerberos
767:See also
755:Security
724:RFC 4430
683:, IBM's
349:Protocol
231:Cerberus
225:Kerberos
217:UDP port
174:protocol
132:Kerberos
20:Kerberos
2184:Commons
2156:WooâLam
2043:MS-CHAP
2039:(CHAP)
1966:(eAuth)
1890:website
1880:website
1854:6246388
1763:8014806
1223:General
715:per MIT
701:OpenVMS
681:Solaris
665:FreeBSD
424:, or a
234:) from
178:tickets
166:) is a
110:Website
61: (
2151:TACACS
2141:(RACF)
2129:(PEAP)
2111:(OIDC)
2104:OpenID
2095:(NTLM)
2002:(XUDA)
1996:(SSPI)
1990:(SASL)
1978:(JAAS)
1852:
1842:
1815:
1790:
1761:
1407:
1397:
1387:
1366:
1264:
1243:
978:
951:
941:
913:
799:SPNEGO
677:Oracle
645:setspn
335:Google
327:Oracle
269:(DES)
2147:(SRP)
2123:(PAP)
2099:OAuth
2074:(HIP)
2068:(EAP)
2052:(CAS)
2028:(AKA)
1984:(PAM)
1850:S2CID
1788:S2CID
1759:S2CID
1364:S2CID
949:S2CID
823:(HIP)
811:(SRP)
804:S/Key
697:IBM i
689:HP-UX
669:macOS
432:used.
369:(KDC)
240:Hades
182:nodes
2021:ACF2
1951:APIs
1888:IETF
1840:ISBN
1813:ISBN
1728:2012
1686:2012
1659:8009
1652:6880
1645:6806
1638:6803
1631:6784
1624:6649
1617:6560
1610:6542
1603:6448
1596:6251
1589:6113
1582:6112
1575:6111
1568:5896
1561:5868
1554:5349
1547:5021
1540:4757
1533:4557
1526:4556
1519:4537
1512:4121
1505:4120
1498:3962
1491:3961
1484:1964
1477:1510
1470:RFCs
1461:2016
1445:2012
1425:2012
1405:OCLC
1395:ISBN
1322:link
1295:link
1262:ISBN
1241:ISBN
1212:help
1119:help
1071:help
976:ISBN
759:The
699:and
693:z/OS
647:, a
638:SSPI
631:NTLM
250:The
228:(or
196:and
119:.edu
117:.mit
99:Type
1886:at
1878:MIT
1876:at
1832:doi
1805:doi
1780:doi
1749:doi
1703:MIT
1356:doi
1183:doi
1090:doi
1040:doi
685:AIX
679:'s
620:RC4
323:BSD
147:ÉËr
115:web
2201::
1848:.
1838:.
1811:.
1786:.
1776:32
1774:.
1757:.
1745:20
1743:.
1739:.
1714:.
1701:.
1697:.
1676:.
1403:.
1393:.
1362:.
1352:32
1350:.
1346:.
1333:.
1318:}}
1314:{{
1306:.
1291:}}
1287:{{
1279:.
1236:.
1203::
1201:}}
1197:{{
1189:.
1181:.
1127:^
1110::
1108:}}
1104:{{
1096:.
1088:.
1062::
1060:}}
1056:{{
1048:.
1038:.
990:^
947:.
872:.
695:,
687:,
675:,
671:,
655:.
640:.
337:,
333:,
329:,
242:.
200:.
153:Ér
1934:e
1927:t
1920:v
1856:.
1834::
1821:.
1807::
1794:.
1782::
1765:.
1751::
1730:.
1705:.
1688:.
1463:.
1447:.
1427:.
1411:.
1370:.
1358::
1337:.
1324:)
1310:.
1297:)
1283:.
1270:.
1249:.
1214:)
1210:(
1185::
1121:)
1117:(
1092::
1073:)
1069:(
1042::
984:.
955:.
919:.
882:.
849:.
733:.
726:.
585:.
569:.
543:.
162:/
159:s
156:É
150:b
144:k
141:Ë
138:/
134:(
123:/
80:C
65:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
