I do not think that is correct. I am certain that they will use kerberos however it is in my opinion very likely that they will change their kerberos infrastructure to rely significantly on digital certificates and the new pkinit draft/standard instead of user passwords and preauthentication.
I.e. they will probably make changes to kerberos but not get rid of kerberos instead they will use pkinit+kerberos. Speculation: I would not be surprised if they also do things like stuff the PAC inside the pkinit fields/certificate instead of inside the authorization data fields and if they also modify the kdc to take the PAC and other autorization data from within the AS-REQ and put it inside the krbtgt ticket it sends back and that the client in further tgs-req and also ap-req also contains a copy of that data. It would provide an interesting side channel where they could provide authorization data from the certificate all the way to the AP-REQ sent to a service. I bet there are very interesting features that such a mechanism would provide. (at elast that is what i would do instead of only using pkinit as a vehicle for pre authentication) On 10/21/05, Tim Alsop <[EMAIL PROTECTED]> wrote: > Hi, > > I have just been told by a company (name of company is anonymous) that > they were recently told by Microsoft, that in the next version of > Windows, Kerberos will be removed and replaced by something else > instead. This suggests that Active Directory will no longer be a > Kerberos server, and Windows will not use Kerberos to authenticate users > to domain controllers ? > > My question is, has anybody else been told the same ? Is this a > missunderstanding, or based on fact ? > > Thanks, Tim > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
