Kerberos is the name of the hard-core security protocol that's been used since Windows 2000. I'm in the process of learning exactly how it works.
So where does the Kerberos name come from?
Kerberos(aka Cerberus) is the name of the three headed dog that guards Hades (remember “Fluffy” that guarded the Socerer's Stone?).
When an IIS web application has "Integrated Windows authentication" enabled and “Enable anonymous access” is disabled, the LOGON_USER server variable will contain the name of the user accessing the website.
I wasn't sure if this method is really secure. Can't the LOGON_USER server variable be modified? These are my findings -
- IE will try to authenticate the user by hashing the username and password and sending it to the server.
- The server will then compare the hashes to the user on the domain.
- If the hashes match, the user has been authenticated successfully.
Note that no passwords are passed directly. Also, because both the username and password are hashed, it's not possible to simply spoof the username. You need the password as well.
Sounds pretty secure to me.