{"id":392,"date":"2005-06-06T11:39:00","date_gmt":"2005-06-06T11:39:00","guid":{"rendered":"http:\/\/markwilson.me.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm"},"modified":"2007-07-17T11:17:06","modified_gmt":"2007-07-17T10:17:06","slug":"kerberos-authentication-explained","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm","title":{"rendered":"Kerberos authentication explained"},"content":{"rendered":"<p><!--111805780173789106-->Authentication and authorisation are often thought of as a single process but the two are actually distinct operations that may even use separate storage locations for the authentication and authorisation data.<\/p>\n<p>Authentication is about verifying identity, based on one or more factors, for example something that someone knows (e.g. a password), something that someone holds (e.g. a smart card), something that someone is (e.g. biometric information).  Obviously the use of <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2005\/02\/multiple-factor-security.htm\">multiple-factor identification<\/a> increases security.<\/p>\n<p>Authorisation is about controlling access to a resource based on access control lists and other policies; however secure authorisation is dependant on authentication in order to ensure that the security principle requesting access is who they say they are.<\/p>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/kerberos_(protocol)\">Kerberos<\/a> is the industry standard for authentication (not authorisation), featuring mutual authentication (cf. NTLM, which uses one-way authentication), faster connection times (session tickets are effectively pre-authentication) and delegation (e.g. one server accessing resources on another server on behalf of the original request).<\/p>\n<p>For some reason, Kerberos has always seemed complicated to me, but over the last couple of months I&#8217;ve attended two events where the speakers (<a href=\"http:\/\/blogs.technet.com\/jhoward\/\">John Howard<\/a> from Microsoft, and John Craddock from <a href=\"http:\/\/www.kimberry.co.uk\/\">Kimberry Associates<\/a>) gave excellent explanations of the Kerberos authentication process, which I have attempted to repeat here for the benefit of others.<\/p>\n<p>Even though it is not a Microsoft standard, Kerberos is the default authentication protocol in Windows 2000, XP and Server 2003, although these all support NTLM for legacy clients.  <a href=\"http:\/\/www.faqs.org\/rfcs\/rfc1510.html\">RFC 1510<\/a>, which defines the Kerberos network authentication service (version 5) actually specifies six messages (five mandatory and one optional), grouped into three pairs of sub-protocols:<\/p>\n<ul>\n<li>The authentication service (AS) exchange.<\/li>\n<ul>\n<li>KRB_AS_REQ.<\/li>\n<li>KRB_AS_REP.<\/li>\n<\/ul>\n<li>The ticket granting service (TGS) exchange.<\/li>\n<ul>\n<li>KRB_TGS_REQ.<\/li>\n<li>KRB_TGS_REP.<\/li>\n<\/ul>\n<li>The client\/server (AP) exchange.<\/li>\n<ul>\n<li>KRB_AP_REQ.<\/li>\n<li>(KRB_AP_REP).<\/li>\n<\/ul>\n<\/ul>\n<p>Central to the Kerberos process is the key distribution center (KDC), which in a Windows implementation is installed on all domain controllers.  All parties within the Kerberos transaction are said to be part of the same realm, which really means that they have a common shared secret in order to communicate with trust.  All messages are encrypted using keys (symmetric &#8211; not PKI).  A user key is generated from the logon password, a host key is generated when the computer joins the realm and the KDC is effectively a database of security principles.<\/p>\n<p>The AS exchange takes place at logon and is concerned with giving clients the right to request tickets to access resources (avoiding the need to hold logon factors).  In this process, the client sends an KRB_AS_REQ request to the KDC and, if approved, the KDC will generate a ticket granting ticket (TGT) which is returned to the client as part of the KRB_AS_REP reply.  The TGT allows the client to request service tickets and is analogous to a passport &#8211; i.e. it is valid for a certain period after which it expires; however once the TGT has been issued, there is no further use of passwords or other logon factors.<\/p>\n<p>When the client requires access to a resource, the TGS exchange will commence, whereby the client sends a KRB_TGS_REQ service ticket (ST) request to the KDC with the name of the service to which access is required.  The KDC will validate the authentication token within the TGT and if permitted, will return a service ticket which is valid for the requested service as part of the KRB_TGS_REP reply; however at this stage the client is still not authenticated.  The service ticket is only valid between the user and the service but provides mutual authentication and speeds up connection times by eliminating the need for the service to perform authentication.<\/p>\n<p>Only after the client has sent a KRB_AP_REQ request to the service server and there is mutual authentication, will the client be authenticated and allowed access to the requested resource.  The service server may, or may not, send a KRB_AP_REP reply.<\/p>\n<p>At all stages, only the KDC can read the TGT and only the service can read the ST.  <\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"inline\" alt=\"Kerberos\" src=\"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/images\/kerberos.gif?w=700&#038;ssl=1\"  \/><\/p>\n<p>Looking in further detail at the AS exchange, the KRB_AS_REQ includes:<\/p>\n<ul>\n<li>Client principal name.<\/li>\n<li>Timestamp.<\/li>\n<li>Kerberos target principle name (realm).<\/li>\n<li>Requested lifetime.<\/li>\n<\/ul>\n<p>The KDC checks for the existence of the user and constructs an encrypted reply, based on the user&#8217;s password-based key so that only the real user will be able to decrypt it.  This KRB_AS_REP is in two portions:<\/p>\n<ul>\n<li>The first part is encrypted using the user&#8217;s key, containing:<\/li>\n<ul>\n<li>User-TGS key (generated by the KDC).<\/li>\n<li>Kerberos target principle name (realm).<\/li>\n<li>Ticket lifetime.<\/li>\n<\/ul>\n<li>The second part is the TGT, which is encrypted using a TGS key generated by the KDC so that only the server can open it (even though it is stored by the client for use during further transactions), containing:<\/li>\n<ul>\n<li>User-TGS key (which is not retained by the KDC, but its presence within the TGT means it is available when required).<\/li>\n<li>Client principal name.<\/li>\n<li>Ticket lifetime.<\/li>\n<li>KDC timestamp.<\/li>\n<li>Client IP address (taken from the initial KRB_AS_REQ).<\/li>\n<\/ul>\n<\/ul>\n<p>Because the KRB_AS_REQ is sent in clear text, pre-authentication may be required to stop spoofing of KRB_AS_REQs &#8211; this can be controlled on a per-user basis but is automatically enabled on Windows 2000\/2003 KDCs.  Pre-authentication encrypts the KRB_AS_REQ with the user&#8217;s password-based key and avoids offline dictionary and brute force attacks because the timestamp within the KRB_AS_REQ must match the current time (within an allowed skew, which is 5 minutes by default).<\/p>\n<p>Moving on to the TGS exchange, the service ticket request (KRB_TGS_REQ) contains:<\/p>\n<ul>\n<li>Service principal name.<\/li>\n<li>Requested lifetime.<\/li>\n<li>TGT  (still encrypted with the TGS key).<\/li>\n<li>Authenticator (encrypted with the user-TGS key and containing a client timestamp)<\/li>\n<\/ul>\n<p>The authenticator guarantees that the request originated from the client.<\/p>\n<p>The KRB_TGS_REP service ticket reply is again in two parts:<\/p>\n<ul>\n<li>Part one is encrypted with the user-TGS key (taken from the TGT by the KDC) and contains:<\/li>\n<ul>\n<li>Service principal name.<\/li>\n<li>Ticket lifetime.<\/li>\n<li>User service key (encrypted with a user-TGS session key, generated by the KDC).<\/li>\n<\/ul>\n<li>Part two is the service ticket, encrypted using the service-TGS key and contains:<\/li>\n<ul>\n<li>User service key (encrypted with a user-TGS session key, generated by the KDC)..<\/li>\n<li>Client principal name.<\/li>\n<li>Ticket lifetime.<\/li>\n<li>KDC timestamp.<\/li>\n<li>Client IP address.<\/li>\n<\/ul>\n<\/ul>\n<p>Finally, when the client requires access to the service, the AP exchange KRB_AP_REQ contains the service ticket (still encrypted using the service-TGS key) and an authenticator (encrypted with the user-service key).  Kerberos does not define an encryption protocol for the service request.<\/p>\n<p>A client can forward its credentials to a service, forwarding a copy of its TGT so that the service can transparently authenticate on the user&#8217;s behalf.<\/p>\n<p>So that&#8217;s how Kerberos works.  The key points to remember are that:<\/p>\n<ul>\n<li>AS exchange occurs at logon, providing the client with a TGT.<\/li>\n<li>The TGT allows the client to enter the TGS exchange (which authenticates the client), returning an ST.<\/li>\n<li>The ST identifies the authenticated client to a service following which the service will provide access (but only if the client passes the service&#8217;s own authorisation criteria).<\/li>\n<li>Because messages are encrypted, only the KDC can read the TGT and only the service can read the ST.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Authentication and authorisation are often thought of as a single process but the two are actually distinct operations that may even use separate storage locations for the authentication and authorisation data. Authentication is about verifying identity, based on one or more factors, for example something that someone knows (e.g. a password), something that someone holds &hellip; <a href=\"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Kerberos authentication explained<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[],"tags":[43],"class_list":["post-392","post","type-post","status-publish","format-standard","hentry","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Kerberos authentication explained - markwilson.it<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos authentication explained - markwilson.it\" \/>\n<meta property=\"og:description\" content=\"Authentication and authorisation are often thought of as a single process but the two are actually distinct operations that may even use separate storage locations for the authentication and authorisation data. Authentication is about verifying identity, based on one or more factors, for example something that someone knows (e.g. a password), something that someone holds &hellip; Continue reading Kerberos authentication explained\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm\" \/>\n<meta property=\"og:site_name\" content=\"markwilson.it\" \/>\n<meta property=\"article:published_time\" content=\"2005-06-06T11:39:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2007-07-17T10:17:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif\" \/>\n<meta name=\"author\" content=\"Mark Wilson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:site\" content=\"@markwilsonit\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm\"},\"author\":{\"name\":\"Mark Wilson\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"headline\":\"Kerberos authentication explained\",\"datePublished\":\"2005-06-06T11:39:00+00:00\",\"dateModified\":\"2007-07-17T10:17:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm\"},\"wordCount\":1220,\"commentCount\":4,\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"image\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/kerberos.gif\",\"keywords\":[\"Security\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm\",\"name\":\"Kerberos authentication explained - markwilson.it\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/kerberos.gif\",\"datePublished\":\"2005-06-06T11:39:00+00:00\",\"dateModified\":\"2007-07-17T10:17:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#primaryimage\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/kerberos.gif\",\"contentUrl\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/images\\\/kerberos.gif\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/2005\\\/06\\\/kerberos-authentication-explained.htm#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kerberos authentication explained\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/\",\"name\":\"markwilson.it\",\"description\":\"get-info -class technology | write-output &gt; \\\/dev\\\/web\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/#\\\/schema\\\/person\\\/98f61365e7c39d6be942174b8c4de468\",\"name\":\"Mark Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\",\"width\":800,\"height\":800,\"caption\":\"Mark Wilson\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/www.markwilson.co.uk\\\/blog\\\/uploads\\\/image-4.png?fit=800%2C800&ssl=1\"},\"description\":\"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.\",\"sameAs\":[\"http:\\\/\\\/www.markwilson.co.uk\\\/\",\"https:\\\/\\\/www.instagram.com\\\/markwilsonuk\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/markawilson\\\/\",\"https:\\\/\\\/x.com\\\/markwilsonit\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCWHlZCoHRTocdvtrOJ2IL4A\"],\"url\":\"https:\\\/\\\/www.markwilson.co.uk\\\/blog\\\/author\\\/mark-wilson\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kerberos authentication explained - markwilson.it","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm","og_locale":"en_GB","og_type":"article","og_title":"Kerberos authentication explained - markwilson.it","og_description":"Authentication and authorisation are often thought of as a single process but the two are actually distinct operations that may even use separate storage locations for the authentication and authorisation data. Authentication is about verifying identity, based on one or more factors, for example something that someone knows (e.g. a password), something that someone holds &hellip; Continue reading Kerberos authentication explained","og_url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm","og_site_name":"markwilson.it","article_published_time":"2005-06-06T11:39:00+00:00","article_modified_time":"2007-07-17T10:17:06+00:00","og_image":[{"url":"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif","type":"","width":"","height":""}],"author":"Mark Wilson","twitter_card":"summary_large_image","twitter_creator":"@markwilsonit","twitter_site":"@markwilsonit","twitter_misc":{"Written by":"Mark Wilson","Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#article","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm"},"author":{"name":"Mark Wilson","@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"headline":"Kerberos authentication explained","datePublished":"2005-06-06T11:39:00+00:00","dateModified":"2007-07-17T10:17:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm"},"wordCount":1220,"commentCount":4,"publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"image":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#primaryimage"},"thumbnailUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif","keywords":["Security"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm","url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm","name":"Kerberos authentication explained - markwilson.it","isPartOf":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#primaryimage"},"image":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#primaryimage"},"thumbnailUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif","datePublished":"2005-06-06T11:39:00+00:00","dateModified":"2007-07-17T10:17:06+00:00","breadcrumb":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#primaryimage","url":"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif","contentUrl":"https:\/\/www.markwilson.co.uk\/blog\/images\/kerberos.gif"},{"@type":"BreadcrumbList","@id":"https:\/\/www.markwilson.co.uk\/blog\/2005\/06\/kerberos-authentication-explained.htm#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.markwilson.co.uk\/blog"},{"@type":"ListItem","position":2,"name":"Kerberos authentication explained"}]},{"@type":"WebSite","@id":"https:\/\/www.markwilson.co.uk\/blog\/#website","url":"https:\/\/www.markwilson.co.uk\/blog\/","name":"markwilson.it","description":"get-info -class technology | write-output &gt; \/dev\/web","publisher":{"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.markwilson.co.uk\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/www.markwilson.co.uk\/blog\/#\/schema\/person\/98f61365e7c39d6be942174b8c4de468","name":"Mark Wilson","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","url":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1","width":800,"height":800,"caption":"Mark Wilson"},"logo":{"@id":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/image-4.png?fit=800%2C800&ssl=1"},"description":"A Chartered IT Professional, with recent experience in technology leadership, IT strategy and practice management roles, Mark Wilson is an Enterprise Architect in the Advisory and Management Group at risual. During a career spanning more than two decades, Mark has gained widespread recognition as an expert in his field including both industry and national press exposure. In addition to certifications from Microsoft, VMware, Red Hat, The Open Group and Axelos, Mark held a Microsoft Most Valuable Professional (MVP) award for three years and is now part of the MVP Reconnect programme. Mark is also well-known on social media and maintains an award-winning blog.","sameAs":["http:\/\/www.markwilson.co.uk\/","https:\/\/www.instagram.com\/markwilsonuk\/","https:\/\/www.linkedin.com\/in\/markawilson\/","https:\/\/x.com\/markwilsonit","https:\/\/www.youtube.com\/channel\/UCWHlZCoHRTocdvtrOJ2IL4A"],"url":"https:\/\/www.markwilson.co.uk\/blog\/author\/mark-wilson"}]}},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":862,"url":"https:\/\/www.markwilson.co.uk\/blog\/2007\/07\/windows-server-2008-read-only-domain-controllers.htm","url_meta":{"origin":392,"position":0},"title":"Windows Server 2008 read only domain controllers","author":"Mark Wilson","date":"Monday 30 July 2007","format":false,"excerpt":"This is the last post I'm intending to write based on the content from the recent Windows Server UK User Group meeting - this time inspired by Scotty Mc Leod's presentation on read only domain controllers (RODCs), a new feature in Windows Server 2008. In my post from a few\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":802,"url":"https:\/\/www.markwilson.co.uk\/blog\/2007\/05\/using-active-directory-to-authenticate-users-on-a-linux-computer.htm","url_meta":{"origin":392,"position":1},"title":"Using Active Directory to authenticate users on a Linux computer","author":"Mark Wilson","date":"Wednesday 30 May 2007","format":false,"excerpt":"I'm not sure if it's the gradual improvement in my Linux knowledge, better information on the 'net, or just that integrating Windows and Unix systems is getting easier but I finally got one of my non-Windows systems to authenticate against Active Directory (AD) today. It may not sound like much\u2026","rel":"","context":"In \"Linux\"","block_context":{"text":"Linux","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/linux"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":127,"url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/07\/some-more-about-sidhistory.htm","url_meta":{"origin":392,"position":2},"title":"Some more about sIDHistory","author":"Mark Wilson","date":"Wednesday 6 July 2005","format":false,"excerpt":"A few weeks back I was looking at migrating users between forests using ADMT when the source and target domain names are similar. It worked in my virtual environment but when we went to put it into practice there were some issues caused by different people's perception of what the\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1284,"url":"https:\/\/www.markwilson.co.uk\/blog\/2008\/11\/identity-and-security-developments-at-microsoft.htm","url_meta":{"origin":392,"position":3},"title":"Identity and security developments at Microsoft","author":"Mark Wilson","date":"Thursday 13 November 2008","format":false,"excerpt":"In amongst all the exciting new product announcements for new Windows releases and cloud computing platforms it's all too easy to miss out on some of the core infrastructure enhancements that Microsoft is making. Last week I got the chance to catch up with Joel Sider from Microsoft's Identity and\u2026","rel":"","context":"In \"Microsoft Forefront\"","block_context":{"text":"Microsoft Forefront","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/forefront"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":237,"url":"https:\/\/www.markwilson.co.uk\/blog\/2005\/09\/10000-feet-view-of-microsoft-active.htm","url_meta":{"origin":392,"position":4},"title":"10,000 feet view of Microsoft Active Directory","author":"Mark Wilson","date":"Wednesday 14 September 2005","format":false,"excerpt":"Non-technical colleagues, and friends who work with Microsoft products but outside of a corporate environment often ask me \"what is Active Directory\" (AD). As I've blogged a few 10,000 feet views of Microsoft technologies, I thought I'd produce one for AD. At the Microsoft Technical Roadshow event last May, Paul\u2026","rel":"","context":"In \"Microsoft Active Directory\"","block_context":{"text":"Microsoft Active Directory","link":"https:\/\/www.markwilson.co.uk\/blog\/tag\/active-directory"},"img":{"alt_text":"","src":"http:\/\/www.assoc-amazon.co.uk\/e\/ir?t=marsweblo-21&l=as2&o=2&a=0954421809","width":350,"height":200},"classes":[]},{"id":9023,"url":"https:\/\/www.markwilson.co.uk\/blog\/2025\/05\/postmortem-deploying-my-static-website-with-azure-static-web-apps-eventually.htm","url_meta":{"origin":392,"position":5},"title":"Postmortem: deploying my static website with Azure Static Web Apps (eventually)","author":"Mark Wilson","date":"Thursday 22 May 2025","format":false,"excerpt":"This all started out as a bit of vibe coding* in ChatGPT... Yesterday, whilst walking the dog, I was listening to the latest episode of WB-40. Something Julia Bellis said gave me an idea for a simple custom GPT to help people (well, mostly me) eat better. ChatGPT helped me\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/www.markwilson.co.uk\/blog\/topic\/technology"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/ChatGPT-Image-May-22-2025-09_57_24-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/ChatGPT-Image-May-22-2025-09_57_24-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/ChatGPT-Image-May-22-2025-09_57_24-AM.png?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/ChatGPT-Image-May-22-2025-09_57_24-AM.png?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.markwilson.co.uk\/blog\/uploads\/ChatGPT-Image-May-22-2025-09_57_24-AM.png?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":0,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.markwilson.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}