Tag: Kerberos


In many of my previous posts I talked about B2B users being replicated to your own AD for guest users to be able to login to your backend (Kerberos) applications. This adding of guest users to your AD can be done using my PowerShell script, the MIM guide from Microsoft – although it seems to […]

Read more

Azure AD – Domain services preview features

There are 3 (relatively) new functions in Azure AD Domain Services. Both in preview at the time of writing but combining all can unlock new functionality. This post will go over the following items with regards to Azure AD – Domain Services What’s new in Azure AD – Domain Services Force trust creation with AAD-DS/ADDS […]

Read more

IIS & Kerberos Kernel Mode

A new post about kerberos.. indeed some techno stuff nobody seems to understand but is very important for security. A new feature in Windows 2008 IIS7 is the kernel mode support, what does it do, and more important how can it help you?

Read more

Kerberos multiple hops

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.


Basically we want the following to happen:


Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication


In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

  Read more

Kerberos PAC validation

basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.