How to use Kerberos and Credential manager for Windows single sign-on

Windows administrators can avoid the expense of third-party single sign-on software and use Windows Kerberos in Windows Server 2003 and Credential Manager in Windows XP and Vista for client-side SSO.

Ask any help desk agent what problem they receive calls about the most and the answer will almost always be password resets. Users have to remember an average of six different username and password credential combinations, each with their own conventions and policies, and their own frequency for updating.

Keeping track of it all is a burden for users and they frequently lock their accounts from too many failed logon attempts or simply forget a password completely.

Single sign-on (SSO) attempts to diminish the burden on users and reduce the amount of time spent performing system and application logons by minimizing the number of usernames and passwords they need to use -- preferably down to one. Whatever mechanism is used to accomplish SSO, the goal is that the user authentication and authorization process only be performed one time per logon and the user is subsequently able to access all of the resources they have permission to access.

There are a number of ways to accomplish SSO, for example, with third-party software. For our purposes, we will focus on ways to achieve SSO using features and functions inherent in Windows. You can accomplish server-side SSO using Kerberos in a Windows Server 2003 network, or client-side SSO using the Credential Manager feature in Windows XP and Windows Vista.

More identity management resources

From the gateway to the application: Effective access control strategies Organizations need to strike a balance between so-called front-door access control and more fine grained controls established within an application itself.

IAM best practices for employees with varying degrees of access to the same computer Protecting access to a single PC with multiple users can be a daunting task, but there are some security best practices to consider.

How to use Windows Kerberos for server-side SSO

Kerberos is a network authentication protocol designed at the Massachusetts Institute of Technology (MIT) that allows secure authentication and data transfer on otherwise unsecured networks. Kerberos provides mutual authentication -- the server and the user verify each other's identity before authenticating the connection. In addition, the mutual authentication of Kerberos protects against threats such as eavesdropping and replay attacks.

Microsoft designed a semi-proprietary implementation of Kerberos that includes additional extensions, but Microsoft Kerberos is still capable of integrating and authenticating with standard Kerberos protocols as well. Kerberos is built on a foundation of symmetric key cryptography and relies on a trusted certificate authority (CA).

Organizations can establish their own internal CA, but tickets granted by an internal CA are generally unable to be used to authenticate with outside entities. With Microsoft Kerberos the CA is the Key Distribution Center (KDC). The KDC is a part of the domain controller and provides two key functions: the Authentication Server (AS) and the Ticket-Granting Service (TGS).

During the initial sign-on, when the user's Windows username and password credentials are authenticated, a Kerberos ticket-granting ticket (TGT) is issued. The TGT is then used to request a Service Ticket from the TGS of the KDC. With each subsequent authentication request the Service Ticket can be used to gain access without prompting for new credentials or requesting credentials to be re-entered.

How to use Windows credential manager for client-side SSO

For credentials not governed by the server-side SSO solution, or in cases where no server-side SSO system is in place, users can manage their own SSO using the Credential Manager feature of Windows XP and Windows Vista. The Credential Manager is a central repository for usernames, passwords and X.509 certificates.

As you access resources for the first time, you will be prompted to enter valid credentials. Those credentials can then be securely stored in Windows and managed with the Credential Manager. Once the credentials are stored, Windows will automatically retrieve the relevant usernames and password data for subsequent access attempts.

You can manage the stored username and password data using the Credential Manager interface found in the Control Panel. Simply open the Control Panel and click on Credential Manager. From this console you can backup or restore the data stored in your password vault. You can also add new credentials, view details on the stored credentials, modify the stored credential information, or remove credentials from the Credential Manager vault.

Tony Bradley is the director of security for Evangelyze Communications, and a Microsoft MVP in Windows security for the past three years.

Send comments on this technical tip [email protected].

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

This was last published in July 2009

Dig Deeper on Single-sign on (SSO) and federated identity