In-Depth

Smart Card Logon Integration with Kerberos

Learn the basic behind-the-scenes steps for Smart Card logon under Kerberos.

When smart cards are used for authentication in Win2K, a copy of the certificate and the private key can be stored on the smart card. When the user inserts the card in the reader, he or she will be prompted to enter the pin. What happens next? How does this operation provide the credentials necessary for a logon system based on Kerberos?

Kerberos doesn’t use public key cryptography; instead, it uses a session or symmetric key. In order for a smart card interface to work, some work has to occur before Kerberos can do its job. Win2K implements a proposed extension to the Kerberos standard and integrates smart card logon with Kerberos. Here’s what happens:

  1. If a reader is attached to the user’s machine, the user is prompted to put in a card.
  2. Then the user is prompted to enter a pin.
  3. The logon request is passed to the Local Security Authority (LSA).
  4. LSA communicates with the Kerberos authentication package on the client.
  5. Kerberos sends a request to the Kerberos Distribution Center (KDC) on the domain controller for authentication. The request includes a copy of the x.509 certificate (from the smart card) in the pre-authentication data field of the request and is signed by the private key.
  6. The KDC builds a certification path from the certificate to a root CA in the system root store.
  7. In Win2K, there must be an enterprise Certification Authority (CA, published in Active Directory). This prevents a rogue CA certified in another CA hierarchy from issuing a certificate in the domain.
  8. The KDC uses the public key from the certificate to verify the signature.
  9. KDC verifies the timestamp is within skew time, the time period during which a request can be processed. This helps to detect a replay attack.
  10. KDC looks in the AD for account information.
  11. If all tests are passed, the KDC returns a Ticket Granting Ticket (TGT). The KDC provides a copy of its certificate as well and signs the returned information with its private key.
  12. The client verifies the KDC by building a certificate path from the certificate to the trusted root CA and uses the KDC public key to verify the reply signature.
  13. If all is OK, the normal Kerberos path is followed from here (the TGT is used to get a service ticket and hence to the user’s desktop).

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

comments powered by Disqus

Reader Comments:

Mon, Apr 20, 2009 Anonymous Anonymous

Hmmm... Are you attempting to play with my orange regime Fresh joke! What do you get if you cross a giant and a vampire? A BIG pain in the neck!

Thu, Mar 5, 2009 Anonymous Anonymous

Who touched it, tell plz, how it is?

Mon, Dec 15, 2008 Anonymous Anonymous

Dear administration mcptv.com, I am assured, that I shall express the general opinion of all visitors and consequently on behalf of everything, I speak you the hugest thanks for creation and maintenance of such remarkable project!
Thanks!

As very much it would be desirable to hear something about plans for development of the project.

P.S. If our help is necessary - address, we always with pleasure shall help you!

Mon, Dec 15, 2008 Anonymous Anonymous

It's just about sport

rss sport score feeds
happy sport 2
mv sport proweave 182
2008 dodge ram sport
sport magnetic bracelets

Wed, Nov 19, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Office -2003/XP/Vista sosoft@bk.ru
è äðóãîé ËÈÖÅÍÇÈÎÍÍÛÉ ñîôò
ïèøèòå íà å-ìåéë sosoft@bk.ru

Sat, Nov 15, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Windows -2003/XP sosoft@bk.ru
è äðóãîé ËÈÖÅÍÇÈÎÍÍÛÉ ñîôò
ïðåäëîæåíèÿ íà å-ìåéë sosoft@bk.ru

Mon, Nov 10, 2008 EZWilliam Ecuador

hmm interesting site. Sometimes I can't help but surrender to my white handicap Wanna very nice joke?)) Did you hear about the two silkworms that had a race? It ended up in a tie.

Wed, Oct 29, 2008 Petsmifssmolo Gibraltar

Think about it… I like to emphasize my purple mum Nice joke! How can you make a slow horse fast? Stop feeding him!!

Mon, Oct 27, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Windows -2003/XP/Vista softinam@mail.ru
è äðóãîå ËÈÖÅÍÇÈÎÍÍÎÅ ÏÎ Microsoft
ïèøèòå íà å-ìåéë softinam@mail.ru

Mon, Oct 13, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Windows -2003/XP softishka@mail.ru
è äðóãîé ËÈÖÅÍÇÈÎÍÍÛÉ ñîôò
ïèøèòå íà å-ìåéë softishka@mail.ru

Mon, Oct 6, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Windows -2003/XP/Vista winrembo@mail.ru
è äðóãîé ËÈÖÅÍÇÈÎÍÍÛÉ ñîôò
ïèøèòå íà å-ìåéë winrembo@mail.ru

Sat, Sep 20, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Windows -2003/XP enzosoft@mail.ru
è äðóãîå ËÈÖÅÍÇÈÎÍÍÎÅ ÏÎ Microsoft
ïðåäëîæåíèÿ íà å-ìåéë enzosoft@mail.ru

Tue, Sep 16, 2008 Anonymous Anonymous

Êóïëþ Windows Êóïëþ Office -2003/XP softvams@mail.ru
è äðóãîé ËÈÖÅÍÇÈÎÍÍÛÉ ñîôò
ïèøèòå íà å-ìåéë softvams@mail.ru

Thu, Mar 27, 2008 Anonymous Anonymous

cae197564732dd03dbd36dcf86cde96a

Wed, Mar 26, 2008 Anonymous Anonymous

91221a62cde99f4844f8272d7ebf44f6

Sun, Jul 17, 2005 Anonymous Anonymous

You are obivously every ignorent about the smart card concept... your conceptual schema was aweful.

Sat, Oct 13, 2001 nitin chandak gandhi nagar, wardha, maharashtra,india

20000

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.