1.4 Relationship to Other Protocols

Kerberos V5 AS and TGS exchanges rely on either the User Datagram Protocol (UDP) or the Transmission Control Protocol (TCP) ([RFC4120] section 7.2.1) as a transport. KILE relies on a working Domain Name System (DNS) infrastructure.

Kerberos V5 AP exchange messages are only carried in other application protocols and never exist by themselves on the network. Almost any application can (theoretically) use Kerberos V5 authentication; applications that already adopt a GSS-style approach to security are most applicable.

Other non-RFC standard specifications relevant to the implementation of Kerberos are:

  • Microsoft Active Directory, including: Active Directory Schema Attributes A-L [MS-ADA1], Active Directory Schema Attributes M [MS-ADA2], Active Directory Schema Attributes N-Z [MS-ADA3], Active Directory Schema Classes [MS-ADSC], and Active Directory Technical Specification [MS-ADTS].

  • Group Policy: Security Protocol Extension [MS-GPSB]

  • Local Security Authority (Domain Policy) Remote Protocol Specification [MS-LSAD]

KILE is only one part of the Windows implementation of Kerberos. The following are additional Kerberos extensions:

  • Authentication Protocol Domain Support Specification [MS-APDS]

  • Privilege Attribute Certificate Data Structure [MS-PAC]

  • Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol Specification [MS-PKCA]

  • Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification [MS-SFU]

  • User to User Kerberos Authentication using GSS-API [UUKA-GSSAPI]

Show: