The Key Distribution Center
The Kerberos Key Distribution Center , or KDC for short, is an integral part of the Kerberos system. The KDC consists of three logical components: a database of all principals and their associated encryption keys, the Authentication Server, and the Ticket Granting Server. While each of these components are logically separate, they are usually implemented in a single program and run together in a single process space.
In a given Kerberos realm, there must be at least one KDC. While the resources required to run a KDC on a machine are small, it is strongly recommended that each KDC be a separate physical machine. Since all of the crucial data, including the secrets for every principal in your realm, is located on every KDC in the network, it is critical that those servers be as secure as possible. In addition, in order for users to successfully authenticate to Kerberos-enabled services, at least one KDC must be functioning at all times.
Each Key Distribution Center contains a database of all of the principals contained in the realm, as well as their associated secrets. Most KDC software also stores additional information for each principal in this database, such as password lifetimes, last password change, and more. Windows 2000 and 2003 keep this database in the Active Directory, its LDAP store. Open source implementations, including MIT and Heimdal, keep this database in a specialized, lightweight database file on the KDC’s filesystem.
Since a Kerberos ...
Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
