Fitzy's Windows AD Blog

Understanding Kerberos and the Art of SPN Creation What is Kerberos? Kerberos is a protocol that uses secret-key cryptography for secure communication over a non-secure network. It provides strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. How Does Kerberos Work? Kerberos works on the basis of ‘tickets’ which serve as encrypted identifiers. These tickets are issued by the Key Distribution Center (KDC), a trusted third-party entity. Clients communicate with servers using these tickets rather than sending passwords over the network. Service Principal Name (SPN) In the context of Kerberos, a Service Principal Name (SPN) is a unique identifier for a service running on a server. The SPN, combined with the realm name, allows a client to uniquely identify an instance of a service. It’s essentially the name by which a client uniquely identifies an instance of...

What is an Authentication Silo/Policy? Example Diagram of How the Authentication Silo Works: In the realm of network security, the protection of sensitive accounts is of paramount importance. Active Directory, a directory service developed by Microsoft for Windows domain networks, offers robust features known as Authentication Silos and Authentication Policies to enhance account security. This article aims to shed light on these two critical features. What are Authentication Silos? Authentication Silos are Active Directory objects that encompass users, computers, and services. They serve as a control mechanism to restrict which accounts can be limited based on the organization’s requirements. For instance, an organization might have separate silos for administrators, regular users, and service accounts. The Role of Authentication Policies Authentication Policies are rules that outline the authentication restrictions applicable to the members of an authentication policy silo. These poli...