.NET Developer Platform Security in-depth

March 5, 2002

Practical Aspects of Modern Cryptography

Key Distribution

Center (KDC)

Client

Picture of a Kerberos Realm

Server

Ticket Granting Server (TGS)

TGT Request

TGT

Ticket
Request

Ticket

Ticket + service request

“Do some stuff”


	Smart Card Logon - Kerberos v5 security provider implements the current IETF draft for PKINIT to support certificate-based authentication

	GINA/Winlogon - recognizes the card insertion and prompts the user for a PIN rather than a password

	The certificate is retrieved from the card and used to identify the user after a challenge-response requiring a private key operation on the smart card

	KDC - the Key Distribution Center looks up the user in the Active Directory based on the identity in the certificate

	The end result is a Kerberos Ticket Granting Ticket (TGT) that can be used to request access to network resources including accessing UNIX-based databases using delegation and referral.