Article

Kerberos authentication

David McAmis and Don Jones
The following is tip #3 from "8 Exchange 2003 security tips in 8 minutes" excerpted from a chapter in David McAmis and Don Jones' book, Microsoft Exchange Server 2003 Delta Guide, published by Sams Publishing. Return to the main

    Requires Free Membership to View

page for more tips on this topic.


Exchange 2003 now also supports Kerberos authentication, which allows information sent between Exchange servers to be secured. If you worked with a multiserver architecture in previous versions of Exchange, you are probably already aware of the inherent security issues, including the passing of user credentials between front-end and back-end servers using Basic authentication.

This authentication method posed a severe security risk for Exchange. Hackers could "sniff" the connection between the servers and work out the credentials from there. This meant that for previous Exchange implementations, you also had to apply IPSec security to the communications between servers to encrypt the information being sent between them. Often, administrators overlooked this security concern, leaving many organizations unaware that there was a potential security risk.

With the introduction of Exchange 2000, NTLM was used as the default authentication protocol between servers. The primary reason for not using Kerberos was the lack of support for the protocol when using clustered servers.

Since Windows 2000 Server SP3, Kerberos authentication is now fully supported for single and clustered servers, meaning that any information or credentials that are passed between servers are secure. This eliminates the vulnerability of "sniffing" or "listening" in on the traffic between the two servers. By default, Kerberos is enabled whenever you add multiple servers to your Exchange topology.


KERBEROS AUTHENTICATION
For more information on how Kerberos authentication works, check out http://www.microsoft.com/security.


Get more "8 Exchange 2003 security tips in 8 minutes." Return to the main page.

About the authors:

David McAmis is an enterprise architect and partner in a consulting firm in Sydney, Australia. David has written a number of books and more than 100 articles that have appeared in magazines and journals.

Don Jones, MCSE, CTT+, is an independent consultant and founding partner of BrainCore.Net. Don is the author of more than a dozen books and the creator and series editor of Sams Publishing's Delta Guide series. He is also a contributing editor and columnist for Microsoft® Certified Professional Magazine, the Microsoft technology columnist for CertCities.com, and a speaker at technology conferences.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: