Estimated reading time: 5 minutes

Active Directory Claims and Kerberos.NET

Active Directory has had the ability to issue claims for users and devices since Server 2012. Claims allow you to add additional values to a user’s kerberos ticket and then make access decisions based on those values at the client level. This is pretty cool because you normally can only make access decisions based on group membership, which is fairly static in nature. Claims can change based on any number of factors, but originate as attributes on the user or computer object in Active Directory. Not so coincidentally, this is exactly how claims on the web work via a federation…

Estimated reading time: 4 minutes

Kerberos.NET and the KeyTab File

Kerberos requires the use of shared secrets to validate tickets. These secrets need to be stored somewhere. Windows stores them in the registry — the Security hive specifically. Other platforms store them in keytab files. Keytab files are useful because they’re a well known construct and are supported by many platforms. What’s interesting about them is that they store the derived value used to encrypt the ticket, and not the real secret. This means you don’t need to worry about how the salt is derived, and can just use the value without having to know how to manipulate the underlying…

Estimated reading time: 11 minutes

On Adding AES Support to Kerberos.NET

It’s been a few months since there’s been any public activity on the project but I’ve quietly been working on cleaning it up and there’s even been a PR from the community¬†(thanks ZhongZhaofeng!). Part of that clean up process has been adding support for AES 128/256 tokens. At first glance you might think it’s fairly trivial to do — just run the encrypted data through an AES transform and you’re good to go — but let me tell you: it’s not that simple. On Securing Shared Secrets There’s primarily one big difference between how RC4 and AES are used in…