The Massachusetts Institute of Technology created Kerberos to address such network security issues as username/password exchange, network security, client computer security, and login persistence. Kerberos is a protocol that provides secure network authentication and support for “single sign-on” to network resources. With single sign-on support, a user logs in one time to a network domain (also called a realm) and, after he or she is authenticated, gains access to resources on other computers without resubmitting a user name and password. Kerberos works on the premise that only the client and authenticating server share a piece of secret information and it provides a way to confirm that the shared information is accurate throughout the user’s session. When a user on a client computer types in a username and password and submits that information to a server to log in, Kerberos first authenticates the user and then issues a ticket that uniquely identifies the client for that session. The ticket is used for future access to other applications and shared volumes during the user’s session. Kerberos provides encrypted key exchange to ensure security on both internal networks (behind firewalls) and insecure networks such as the internet. Once a user is authenticated, all further communication is encrypted for privacy and security. For more information on how Kerberos works on a Windows Server, go to http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx
Access Connect supports the Kerberos extensions in the AFP protocol and works directly with Active Directory. It is registered as a Kerberos service provider and can authenticate Macintosh tickets. Since the tickets themselves are a standard format within Kerberos, Access Connect takes tickets from a Macintosh and passes them to Microsoft Windows Active Directory for authentication and then grants access to Windows server resources if Active Directory says the client has a valid ticket.