Windows Kerberos Security Events

1. Kerberos Explained
DOTAN PATRICH

2. Who's on First?
How can Abbot authenticate that Costello is talking?
How can Abbot make sure that Costello is on First?

3. Kerberos the three-headed dog
Authentication protocol named after a mythical three-headed dog:
◦ Key Distribution Center (KDC)
◦ The client user
◦ The accessed server
Came out of MIT
Adopted by MS AD to replace NTLM (and failed to do so)

4. How does it work?

5. How does it work?
User login by entering
username and password

6. How does it work?

7. How does it work?
KDC contacts AD to authenticate
the user and gather all
groups he posses

8. How does it work?

9. How does it work?
Windows Security Event
4768 event logged for the
user from source ip

10. How does it work?
Windows Security Event
4768 event logged for the
user from source ip
Client machine caches the TGT
This is done once per session (until TGT expiration)

11. How does it work?
Now the user wants to access server B

12. How does it work?

13. How does it work?
KDC validate the request
(check encryption validity)

14. How does it work?

15. How does it work?
Windows Security Event
4769 event logged for the
user from source ip to
computer B

16. How does it work?

17. How does it work?
Validate the ticket authenticity:
decrypt the service ticket with
computer B ticket

18. So what’s new?
Scalable
◦ Servers do not need to contact KDC to authenticate users
◦ Only users and machine account authenticate with the KDC, once per 10h of activity
Secure
◦ Passwords are not sent over the wire
◦ Ticket based authentication based on certificates trusts
Advanced Features
◦ Single Sign-On
◦ Delegation
◦ Cross Domain Authentication

19. Wait, machines need to authenticate?
Yes!!
◦ Need to ensure that a Service Ticket is addressed and used only by the destination computer
◦ The Service Ticket is encrypted by the machine account session key (shared with the KDC)
◦ Only the target machine can validate the Service Ticket
◦ This is why we see 4768 events and 4769 events for the machine account!

20. 4769 events with source=target
When a user logins to a local computer, a session is created for him:
◦ It doesn’t matter if it is a remote session, or local interactive session
◦ In both cases, the computer needs to know the user’s credentials (group membership and SID)
◦ It uses a Service Ticket addressed to the local computer to do so
◦ Works the same as if we contacted a remote servers
◦ This is why we get a 4769 event with source equals to target after each login

21. 4769 with target equals domain controller?
After each login, the computer needs to pull Group Policy from AD:
◦ Need to access the AD domain controller and pull the policy
◦ To do so, we need to authenticate with the domain controller
◦ Authentication is done using Kerberos, just like any server access
◦ This is why we get a 4769 event with target equals to a domain controller after each login

22. So, what events are logged ?
Event Type Account Source Destination
4768 Machine B Machine B
4768 Machine C Machine C
4768 User A Machine B
4769 User A Machine B Machine B
4769 User A Machine B Domain Controller
4769 User A Machine B Machine C
Time

23. Delegation
A mechanism to authenticate on behalf of the user to 3rd party resources
Machine and account doing the delegation need to be trusted by AD
Used by most Windows based web servers (i.e. SharePoint, Sites backed by SQL Server)
User authenticate with
the web server
Service Ticket passed to the SQL server
Source ip is the web server!
4769 event logged, with
delegated flag set to true
(ticket options field)

24. Cross Domain Authentication
◦ The client first authenticate with the local domain, asking for a referral ticket
◦ The referral ticket is encrypted by a inter-domain key
◦ The client sends the referral ticket to the remote domain
◦ The remote domain issues a Service Ticket granting access to the remote server

25. Interesting Windows Security Events