Services Utility: Kerberos Key Distribution Center Service
Display Name (?): | Kerberos Key Distribution Center | ||||||||||||||
Short Name (?): | kdc | ||||||||||||||
Executable (?): | lsass.exe | ||||||||||||||
Library (?): | None. | ||||||||||||||
Depends On (?): | AFD, Remote Procedure Call (RPC) | ||||||||||||||
Supports (?): | None. | ||||||||||||||
Description (?): | On domain controllers this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start. | ||||||||||||||
OS (?): | 2000 Server, Server 2003, Vista Server | ||||||||||||||
Startup (?): |
| ||||||||||||||
Explanation (?): | The Kerberos Key Distribution Center service is used in authentication across a network to allow secured access to shared resources within an active directory environment. This service will normally be found on Windows servers and should be left to automatic unless you do not use Kerberos authentication. The process begins when a client computer (known as the principle) wants to access services in an active directory or in an another cross authenticated situation. The user authenticates to the server running the Kerberos KDC (Key Distribution Center) service using some form of identication, normally with a password but could be some other device such as a smart card that is encrypted using the Data Encryption Standard (DES). This is done through the component in the KDC known as the Authentication Service (AS). If the user is supposed to have access to the system they are authenticating for the KDC provides a timestamped ticket (ticket granting ticket or TGT) to the client. This ticket is then given to the ticket-granting service (TGS), which is most likely running on the same server, that in turn grants a service ticket to the client. This service ticket allows the client to use it to provide authentication to the requested service, as well as providing authentication to the client that the service is a trusted source. The entire process is followed through RFC 1510, but the implementation is only roughly compatible with non-Microsoft systems. The port used for network authentication on the server is UDP 88, but TCP is also used. The above walkthrough of the system is a very rough explanation and excludes many of the negotiations between the servers and the client. |