How to use Kerberos and Credential manager for Windows single sign-on

Ask any help desk agent what problem they receive calls about the most and the answer will almost always be password resets. Users have to remember an average of six different username and password credential combinations, each with their own conventions and policies, and their own frequency for updating.

    Requires Free Membership to View

Keeping track of it all is a burden for users and they frequently lock their accounts from too many failed logon attempts or simply forget a password completely.

Single sign-on (SSO) attempts to diminish the burden on users and reduce the amount of time spent performing system and application logons by minimizing the number of usernames and passwords they need to use -- preferably down to one. Whatever mechanism is used to accomplish SSO, the goal is that the user authentication and authorization process only be performed one time per logon and the user is subsequently able to access all of the resources they have permission to access.

There are a number of ways to accomplish SSO, for example, with third-party software. For our purposes, we will focus on ways to achieve SSO using features and functions inherent in Windows. You can accomplish server-side SSO using Kerberos in a Windows Server 2003 network, or client-side SSO using the Credential Manager feature in Windows XP and Windows Vista.

How to use Windows Kerberos for server-side SSO
Kerberos is a network authentication protocol designed at the Massachusetts Institute of Technology (MIT) that allows secure authentication and data transfer on otherwise unsecured networks. Kerberos provides mutual authentication -- the server and the user verify each other's identity before authenticating the connection. In addition, the mutual authentication of Kerberos protects against threats such as eavesdropping and replay attacks.

Microsoft designed a semi-proprietary implementation of Kerberos that includes additional extensions, but Microsoft Kerberos is still capable of integrating and authenticating with standard Kerberos protocols as well. Kerberos is built on a foundation of symmetric key cryptography and relies on a trusted certificate authority (CA).

Organizations can establish their own internal CA, but tickets granted by an internal CA are generally unable to be used to authenticate with outside entities. With Microsoft Kerberos the CA is the Key Distribution Center (KDC). The KDC is a part of the domain controller and provides two key functions: the Authentication Server (AS) and the Ticket-Granting Service (TGS).

During the initial sign-on, when the user's Windows username and password credentials are authenticated, a Kerberos ticket-granting ticket (TGT) is issued. The TGT is then used to request a Service Ticket from the TGS of the KDC. With each subsequent authentication request the Service Ticket can be used to gain access without prompting for new credentials or requesting credentials to be re-entered.

How to use Windows credential manager for client-side SSO
For credentials not governed by the server-side SSO solution, or in cases where no server-side SSO system is in place, users can manage their own SSO using the Credential Manager feature of Windows XP and Windows Vista. The Credential Manager is a central repository for usernames, passwords and X.509 certificates.

As you access resources for the first time, you will be prompted to enter valid credentials. Those credentials can then be securely stored in Windows and managed with the Credential Manager. Once the credentials are stored, Windows will automatically retrieve the relevant usernames and password data for subsequent access attempts.

You can manage the stored username and password data using the Credential Manager interface found in the Control Panel. Simply open the Control Panel and click on Credential Manager. From this console you can backup or restore the data stored in your password vault. You can also add new credentials, view details on the stored credentials, modify the stored credential information, or remove credentials from the Credential Manager vault.

Tony Bradley is the director of security for Evangelyze Communications, and a Microsoft MVP in Windows security for the past three years.

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was first published in July 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.