NTLMSSP
NTLMSSP, whose authentication service identifier is RPC_C_AUTHN_WINNT, is a security support provider that is available on all versions of DCOM. It uses the NTLM protocol for authentication. NTLM never actually transmits the user's password to the server during authentication. Therefore, the server cannot use the password during impersonation to access network resources that the user would have access to. Only local resources can be accessed.
NTLM works both locally and across computers. That is, if the client and server are on different computers, NTLM can still make sure the client is who it claims to be.
With NTLM, the client's identity is represented by a domain name, user name, and a password or token. When a server calls CoQueryClientBlanket, the client's domain name and user name are returned. However, when a server calls CoImpersonateClient, the client's token is returned. If there is no trust relationship between client and server and if the server has a local account with the same name and password as the client, that account will be used to represent the client.
NTLM supports mutual authentication cross-thread and cross-process (locally only). If the client specifies the principal name of the server in the form domain\user in a call to IClientSecurity::SetBlanket, the server's identity must match that principal name or the call will fail. If the client specifies NULL, the server's identity will not be checked.
NTLM additionally supports the delegate impersonation level cross-thread and cross-process (locally only).
Kerberos v5 Protocol
The Kerberos v5 authentication protocol has an authentication service identifier of RPC_C_AUTHN_GSS_KERBEROS. The Kerberos protocol defines how clients interact with a network authentication service and was standardized by the Internet Engineering Task Force (IETF) in September 1993, in document RFC 1510. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.
Like NTLM, the Kerberos protocol uses the domain name, user name, and password to represent the client's identity. The initial Kerberos ticket obtained from the KDC when the user logs on is based on an encrypted hash of the user's password. This initial ticket is cached. When the user tries to connect to a server, the Kerberos protocol checks the ticket cache for a valid ticket for that server. If one is not available, the initial ticket for the user is sent to the KDC along with a request for a ticket for the specified server. That session ticket is added to the cache, and it can be used to connect to the same server until the ticket expires.
When a server calls CoQueryClientBlanket using the Kerberos protocol, the client's domain name and user name are returned. When a server calls CoImpersonateClient, the client's token is returned. These behaviors are the same as when using NTLM.
The Kerberos protocol works across computer boundaries. The client and server computers must both be in domains, and those domains must have a trust relationship.
The Kerberos protocol requires mutual authentication and supports it remotely. The client must specify the principal name of the server, and the server's identity must match that principal name exactly. If the client specifies NULL for the server's principal name or if the principal name doesn't match the server, the call will fail.
With the Kerberos protocol, the impersonation levels identify, impersonate, and delegate can be used. When a server calls CoImpersonateClient, the token returned is valid off the computer for some time period between 5 minutes and 8 hours. After this time, it can be used on the server computer only. If a server is "run as activator" and the activation is done with the Kerberos protocol, the server's token will expire between 5 minutes and 8 hours after activation.
The Kerberos v5 authentication protocol implemented by Windows supports cloaking.
Reference: https://msdn.microsoft.com/en-us/library/windows/desktop/ms691272(v=vs.85).aspx
1033
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
