Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2003 on HP ProLiant Servers : The Physical Design and Developing the Pilot - Time Services (part 1) - Time Services Role in Authentication

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
5/19/2013 6:39:21 PM

The introduction of Kerberos for authentication in Windows 2000 provided much more secure authentication than was available with Windows NT. However, because Kerberos provides secure authentication by comparing time stamps between client and server, accurate Time Services is critical. Windows 2000 implemented time synchronization through w32tim.dll and used the Simple Network Time Protocol (SNTP), which is described in RFC 1769 and uses UDP (User Datagram Protocol) port 123. SNTP allows time synchronization of computers within about two seconds. Windows 2000 also provided the W32tm.exe troubleshooting utility for performing time configuration modifications.

Windows 2003 increased the accuracy of time synchronization by adopting the Network Time Protocol (NTP), which has the capability to synchronize time within milliseconds. Because all computers—clients, servers, DCs—must all converge on the same time, accurate time synchronization is important.

1. Time Services Role in Authentication

Because I have never found any satisfactory documents explaining how Windows 2003 time services works with authentication, I'm providing it here with illustrations to help explain the concepts. Figures 1 through 5 show details of how Time Services work during the authentication process. In Figure 1, the user enters a username and password in response to an authentication request. At that point, the authenticator is created, which contains the user's public key, certificate, and a time stamp. The KDC (Kerberos Distribution Center) checks the credentials and, if valid, allows the user to log in. The time stamp reflects the time the request was made and is obtained from the client's system clock. The KDC validates the user account and password, checks the public key and certificate, and allows the user to log in.

Figure 1. Basic Kerberos authentication in Windows 2003 requires the use of system Time Services.


Figure 5. The session ticket is presented by the authenticated client to each server for access to resources. The server makes the final determination of access based on permissions applied to the resource.


Now let's look more closely at the role of Time Services in that process. Figure 2 shows the internals of the authenticator. The time stamp is encrypted for security to prevent attacks known as Expired Ticket Acceptance Attacks and Replay Attacks, discussed later in this section. If the client's time from the authenticator, compared to the server's system time, is within the allowable time skew (default is five minutes), then the request is honored. If the time skew is greater than the defined value, the server requests the Windows Time Service to correct the time stamp to allow the logon request to succeed, as depicted in Figure 3. This allows computers in trusted domains—especially those in different forests—to authenticate without changing the client's system time for each request.

Figure 2. The client time stamp is decrypted and checked against the server's system time to determine whether it is within the defined skew.


Figure 3. Dealing with time skew error in Windows 2003.


note

When the server corrects the client's time when the skew is greater than the value allowed (default is five minutes), and within the defined Kerberos user ticket lifetime (default is ten hours), it is corrected only in the time stamp of the authenticator. It does not change the client's system time.


If a client receives a clock skew error, the server allows the client to authenticate up to four times before the request is denied, forcing the client clock to be synchronized with the server clock.

At this point, illustrated in Figure 4, the server returns the authenticator to the client with its public key and corrected system time if necessary, the user obtains a session ticket, and the logon request is successful.

Figure 4. The server returns modified authenticator to the client if logon is successful.


Other -----------------
- Windows Server 2003 on HP ProLiant Servers : The Physical Design and Developing the Pilot - Network Services
- Workflow in Dynamics AX 2009 : Workflow Life Cycle (part 3) - Activating the Workflow
- Workflow in Dynamics AX 2009 : Workflow Life Cycle (part 2) - Creating the Workflow Document Class
- Workflow in Dynamics AX 2009 : Workflow Life Cycle (part 1) - State Model
- Workflow in Dynamics AX 2009 : Workflow Architecture
- SharePoint 2010 : Configuring Search Settings and the User Interface - Search Tabs and Pages
- SharePoint 2010 : Configuring Search Settings and the User Interface - Search Scopes
- SQL Server 2008 R2 : Performance Monitoring Tools (part 12) - Viewing Data Collector Set Results in Performance Monitor
- SQL Server 2008 R2 : Performance Monitoring Tools (part 11) - Creating Data Collector Sets in Performance Monitor
- SQL Server 2008 R2 : Performance Monitoring Tools (part 10) - Creating an Extended Events Session
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server