Skip navigation
Menu
Security

Q: Why does Kerberos smart card login require public key certificates, private keys, and a Certification Authority (CA)?

A: Windows 2000, Windows XP, and later Microsoft OSs include extensions to the Kerberos authentication protocol to support public key–based authentication. These extensions are known as PKINIT—which stands for "Public Key cryptography for INITial authentication." PKINIT enables smart card login to a Windows 2000 or later domain. In a PKINIT-based Kerberos authentication sequence, all occurrences of a user's master key (which is a cryptographic key that Windows derives from the user password) are replaced by the user's public key credentials. Table 1 illustrates this substitution.

PKINIT introduces a new Windows authentication trust model. When using PKINIT, the domain controller (DC) isn't the first entity that authenticates users—as is the case for classic Kerberos or NTLM authentication. In PKINIT, users have already authenticated to the CA when they request their smart card login certificate. In the PKINIT trust model, both the users and the DC must trust the same CA. In other words, in the PKINIT model, the CA is the most important security authority.

The CA you use for Windows smart card login should preferably be a Windows enterprise CA. A Windows enterprise CA will automatically publish the smart card login certificates it issues for domain users to Active Directory (AD). But Microsoft also supports third-party CAs for the generation of smart card login certificates; for more information about the Windows smart card login certificate and CA requirements, see the Microsoft article "Guidelines for enabling smart card logon with third-party certification authorities."

Figure 1 shows how the Kerberos smart card login process works.

smart card login
Figure 1: How the Windows Kerberos smart card login process works

  • Step 1: Alice starts the login process by introducing her smart card into her smart card reader and authenticating to the card by using her PIN. The smart card contains Alice's public key credentials: her private key and certificate.
  • Step 2: A ticket-granting ticket (TGT) request is sent to the DC. This request contains the following data: Alice's principal name and a timestamp—both signed using Alice's private key—and a copy of Alice's certificate.
  • Step 3: To validate the request and the digital signature, the Key Distribution Center (KDC) first validates Alice's certificate. The DC then queries AD for a mapping between Alice's certificate and a Windows user account. If the DC finds a mapping, it generates a new session key and issues a TGT for the corresponding user account.
  • Step 4: The DC sends the TGT to Alice, together with a secured copy of the session key. Alice's copy of the session key is encrypted using her public key.
  • Step 5: To retrieve her copy of the session key from the packets received from the DC in step 4, Alice uses her private key.
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Q: How can I determine from the Windows security logs whether a user has logged on using a smart card?
Oct 06, 2009
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024