PKI , Kerberos and Smart Cards

I was reading a lot about this new mechanism of authentication that is called ( Strict Kerberos Authentication ) and I was wondering , why it is important , and what is the vulnerability that it mitigates . I didn’t find a clear answer at the beginning , then I start digging deeper , until I get the whole idea . Be careful , this blog requires good understanding of Kerberos .

So I was to write a blog about Kerberos Strict Authentication , but then I  thought there is a bigger issue (problem) to write about that eventually lead to Kerberos Strict Authentication , and that is PKI,Kerberos and Smart card all together .

While smart cards have definite advantages over passwords, they should be deployed with a realistic understanding of the actual protections they provide. Installations should take advantage of the latest configuration and hardening options available, administrators should continue to audit and work to eliminate outdated protocols like NTLM from their networks, and privileged users should always exercise caution when authenticating to low-integrity workstations, even with a smart card.

To continue reading, note that this blog post is now moved to my new Blog Platform here: https://blog.ahasayen.com/what-is-strict-kdc-validation/ 

20 comments on “PKI , Kerberos and Smart Cards

  1. Pingback: Blo-Technical » Blog Archive » PKI , Kerberos and Smart Cards

  2. Sir, thanks for the PAC part to support authentication with NTLM for smart card case.
    But I have this basic doubt which I am not able to figure out.
    isn’t PAC which has the user NTLM OWF is part of authorization-data (IF_RELEVANT), and is encrypted by target server’s key. Therefore client, can’t decrypt , extract and use the hash for NTML authentication?

  3. I’m truly enjoying the design and layout of your website.
    It’s a very easy on the eyes which makes it much more
    pleasant for me to come here and visit more often.

    Did you hire out a designer to create your theme? Outstanding work!

    • It is hard to describe how great for me to hear a good feedback for the effort im putting in my blog. Most people visit blogs, download things, take knowledge without leaving a nice comment or rate. Appreciate it.
      The theme is ready by wordpress, but i did whole customization, backgrounds, fonts, etc

  4. Wonderful beat ! I wish to apprentice while you amend your web site,
    how could i subscribe for a weblog site? The account aided
    me a appropriate deal. I were tiny bit familiar of this your broadcast offered
    shiny clear concept

  5. Fabulous post dude.. awesome..Thanks a lot!! I understood the concept..

    I have a question,

    I read somewhere that we can configure PKINIT (certificate based preauth for kerberos on windows server without smart card), I have a scenario in this category, but too varying information has confused me (like using kerberos certificate template).. can you please lemme know how it is done.. (whether its possible in the first place ?)

  6. Heey there, You’ve done a great job. I’ll definitely digg it and personally recommend to my friends.
    I’m sure they will be benefited from this website.

  7. Thanks for your marvelous posting! I seriously enjoyed reading it, you may be a great author.I will remember to bookmark your
    blog and will often come back later on. I wantt to encourage you contiinue
    your great work, have a nice day!services allow [debordcustomhomes.com]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s