@4:54 The statement "Kerberos uses shared secrets for authentication in a Windows domain, there is only one, the NTLM hash" is not entirely accurate. While it is true that NTLM (NT LAN Manager) is a legacy authentication protocol used in Windows environments, Kerberos is the primary authentication protocol used in Active Directory domains. Kerberos does not rely on shared secrets in the same way as NTLM. Instead, it uses a trusted third-party authentication system and symmetric key cryptography to verify the identities of users and services within a network. Kerberos authentication involves the use of tickets and does not directly rely on the storage of password hashes. Furthermore, the statement overlooks the fact that Kerberos also involves the use of a Kerberos hash, which is derived from the user's password and is used in the authentication process. In summary, the statement oversimplifies the authentication mechanisms used in Windows domains and does not accurately represent the role of Kerberos and the use of shared secrets in the context of Windows domain authentication.
Hold up - exceptionally difficult to rotate the KRBTGT password? What process is this dude using to rotate the password? How is waiting 24-48 hours exceptional? My understanding is that you change the password, wait for it to replicate, then change it again. That could take 48 hours if you have globally disparate DC's or set the time to some insane lengths, but the majority of businesses have 1-3 datacenters and replication takes less than an hour. How is that exceptionally difficult to do?
![HIWWHEE | OHM [Official MV]](http://i.ytimg.com/vi/OJJLtTLqLag/mqdefault.jpg)
Great presentation. Very insightful and educational!
Awesome Webcast! Thanks a lot!
I loved your presentation mate. Thank you so much for the detailed yet simple explanation! - Thank you sir!
@4:54
The statement "Kerberos uses shared secrets for authentication in a Windows domain, there is only one, the NTLM hash" is not entirely accurate. While it is true that NTLM (NT LAN Manager) is a legacy authentication protocol used in Windows environments, Kerberos is the primary authentication protocol used in Active Directory domains.
Kerberos does not rely on shared secrets in the same way as NTLM. Instead, it uses a trusted third-party authentication system and symmetric key cryptography to verify the identities of users and services within a network. Kerberos authentication involves the use of tickets and does not directly rely on the storage of password hashes.
Furthermore, the statement overlooks the fact that Kerberos also involves the use of a Kerberos hash, which is derived from the user's password and is used in the authentication process.
In summary, the statement oversimplifies the authentication mechanisms used in Windows domains and does not accurately represent the role of Kerberos and the use of shared secrets in the context of Windows domain authentication.
This was really great. Is there anywhere to download the presentation please?
Hold up - exceptionally difficult to rotate the KRBTGT password? What process is this dude using to rotate the password? How is waiting 24-48 hours exceptional? My understanding is that you change the password, wait for it to replicate, then change it again. That could take 48 hours if you have globally disparate DC's or set the time to some insane lengths, but the majority of businesses have 1-3 datacenters and replication takes less than an hour. How is that exceptionally difficult to do?
Oof, please work on that audio between the two of you.