Re: NTFS Permissions with Authenticated User VS KDC (Kerboros question)


"Guy Painchaud" <Guy.Painchaud@xxxxxxxxxxxx> wrote in message
news:%23zLe2LefHHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
Wow ! fast Help from MVP !

The accessing user is in the top domain, the NTFS ressource is a on a
server in the other sub domain.

using your words to describe the interesting part of my question : (At
that point, the token from the TGT is copied into the service ticket and
extended with added information about memberships unique to the
environment of that resource) . Does a NTFS permission read to
authenticated users could skip this step ?


Theoretically yes, it could have been implemented that way, but it
was not and it would be inefficient. As I had indicated, the NTFS
grants have not been looked at yet when this happens.


Is replacing authenticated users by topdomain\domain users could require
more Kerberos activity ? Should i check speed performance counters for
very high volume ?


I do not see how there would be any difference in activity.
It is pretty much constant.

Your bigger concern might be to make sure Kerberos is actually
being used, rather than attempted and then this getting followed
by a failover to use of NTLM.

Roger

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> a écrit dans le message de news:
eLJgxxdfHHA.4596@xxxxxxxxxxxxxxxxxxxxxxx
Perhaps a little info on how things work algorithmically would
help you assess what questions you are needing to ask. For example,
you have not indicated what domain is the account domain of the
accessing user.

At login via Kerberos the account gets a TGT (ticket granting ticket)
that contains within it that account's user token. At this point the
token
contains among other things a representation of all group memberships
of that account in that domain. Of course, "that domain" is the domain
of the account (the only one that can be authoritative in authenticating
the account login).
Now, when that account attempts to access a resource, if that resource
can be accessed via Kerberos, the TGT is presented in order to obtain
a service ticket for the resource. At that point, the token from the TGT
is copied into the service ticket and extended with added information
about memberships unique to the environment of that resource (another
domain? machine local? etc.).
Finally, the resource is accessed, at which point the type of access in
the demand is compared to the grants on the resource and the user
token infomation.
So, to get to your question, notice that if the account is authenticated
(not anonymous) then the TGT already indicates Authenticated Users,
but that is immaterial to your apparent question since the token gets
expanded as needed in forming the service ticket before the resource
access ckecks happen.
Now, perhaps you can rephrase your concerns/question?

Roger

"Guy Painchaud" <Guy.Painchaud@xxxxxxxxxxxx> wrote in message
news:%23jOhoWdfHHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
In a Multidomain W2k3 Forest mode model.
Do you think that the KDC of a sub-domain is less used because the
authenticated user is a NT authority group ?

in my situation : a top domain user read a file from a sub-domain file
server with authenticated user NTFS permission. My question is : will
the sub-domain KDC service(or other service) be involved ?

If i use more specific NTFS Permissions thant authenticated user. What
will be the impact of performance on a great amount of file access by
different users ?

note : i tried to follow NTDS counters in Perfon without success.

Thank'S








.

Relevant Pages

  • Re: NTFS Permissions with Authenticated User VS KDC (Kerboros question)
    ... The accessing user is in the top domain, the NTFS ressource is a on a server ... Does a NTFS permission read to authenticated users could ... At login via Kerberos the account gets a TGT ... Now, when that account attempts to access a resource, if that resource ...
    (microsoft.public.windows.server.security)
  • Re: Share Permissions and Security Groups
    ... >> that are granted at the NTFS level. ... be able to have a user account in an absolute minimum ... be able to state all resource accesses by recursing memberships ... That is where the objective of having accounts only need direct membership ...
    (microsoft.public.security)