2.9 Security
Implementers have to be aware that Kerberos Protocol Extensions [MS-KILE] and public key-based authentication ([MS-PKCA] and [MS-TLSP]) offer stronger security guarantees in terms of initial authentication and in subsequent confidentiality and integrity of client-server traffic and server-server traffic. Digest authentication or NTLM authentication can be used in environments in which these stronger mechanisms are not available.
Because the security of Kerberos authentication is in part based upon the time stamps of the tickets, it is critical to have accurately set clocks on the machines in the Kerberos environment. As stated in the Kerberos documents, a short lifetime for tickets is used to prevent attackers from performing successful brute force attacks or replay attacks. If the clocks of the machines in a Kerberos environment drift, the network becomes vulnerable to such attacks. Because clock synchronization is vital to Kerberos protocol security, if clocks are not synchronized within a reasonable time window, Kerberos will report fatal errors and refuse to function.
In Windows, the Network Time Protocol (NTP) Authentication Extensions [MS-SNTP] is used to achieve authenticated time synchronization between Kerberos clients and the KDC. Client authentication attempts from a machine with an inaccurate clock will be rejected by the KDC because of the time difference with the KDC's clock; therefore, it is important to achieve time synchronization.