Interoperability with Windows 2000
Understanding the TerminologyUnderstanding the TerminologyBoth the Kerberos server and Microsoft® provide Kerberos security for your network. While the technology is the same, the terminology varies.
Kerberos authentication depends upon establishing trust between users and services through a trusted third party called a Key Distribution Center (KDC). HP provides a KDC on the security server, and Windows 2000 provides a KDC on the domain controller.
Each KDC stores information about trusted users and services in a central database called the principal database in HP terms and the Active Directory of the domain in Microsoft terms. Each database contains a collection of users. In HP terms, the database contains a collection called a realm and each entry is called a principal. In Microsoft terms, the database contains a collection called a domain and each entry is called an account.
The most important information associated with any principal in the Kerberos model is its unique symmetric key, that is, the key used to encrypt and decrypt information on behalf of the principal. HP uses the term, secret key; Microsoft uses the terms
During logon, if KDC successfully authenticates the user, it responds with a special message, called a ticket granting ticket (TGT). The ticket entitles you to request access to other services known to the KDC.
The client system stores the ticket in memory. In HP terminology, the client system stores the ticket in the credentials cache and uses it to request service tickets to authenticate the applications or services on the network. In Microsoft terminology, the client system stores the ticket in the secure cache and uses it to request session tickets to authenticate to applications or services.
The HP and Microsoft implementations of Kerberos have virtually identical conceptual frameworks, but mechanical differences exist. For example, the HP implementation uses configuration files to locate host
Chapter 4 | 53 |