Clifford Heath
6/19/2008 12:36:00 AM
Kyle Schmitt wrote:
> On Wed, Jun 18, 2008 at 1:58 PM, Vladimir Konrad <vk@dsl.pipex.com> wrote:
>>> I don't know what his actual situation is, but back in the bad old
>>> NT4 domain days, there was no LDAP part of it at all. I know, we're
>>> still using an NT4 domain at work.
>> Aha, well, I do not know much about NT4 domains (or AD),
NT4 authenticates using NTLM, a fairly straight-forward password-based
challenge-authentication mechanism.
>> but I thought that AD always had LDAP compatibility...
> You're right, AD is basically LDAP+Kerberos and a whole lotta
> microsoft anti-standards,
You're quite wrong to bash MS over this. It's true they made
one small extension to the Kerberos standard and didn't publish
it until after they got bashed up about it, but the actual
change they made corrected a deficiency in the Kerberos standard
itself, by providing a list of group memberships in the TGT
(Ticket Granting Ticket, the result of the AP, Authentication
Protocol). The "tokenGroups" attribute gets propagated to the
service tickets issued in later exchanges,
Without group memberships in the tickets, every service must keep
a separate access rights (authorization) database with an entry
for every user, or refer back to the Kerberos server whenever any
authorization question must be decided. Both alternatives are
fundamentally at odds with the original design goals of Kerberos
itself, and is a serious flaw in its design.
The structure of the tokenGroups (a list of SIDs) isn't what an
open process would have designed (names would have been used
instead of numbers), but it was pragmatic, and being relevant
only to the NT4 security model, they thought it wasn't necessary
to publish it. Had the standard not had this deficiency, I'm
confident MS would have used it without change.
MS' decision to use Kerberos was actually the right thing to do
and has definitely helped the cause of Kerberos and of greater
IT security. It reflects a move away from their earlier policy
of always using solutions they own (either by making or acquiring).
I can believe MS guilty of much of the evil of which they're
accused, but I think this one at least was an honest mistake.
Clifford Heath.