Kerberos Information Released

Criticized by Department of Justice (DoJ) experts for proprietary extensions in Windows 2000’s implementation of the Kerberos security protocol, Microsoft has released additional information that would allow other systems to interoperate with Windows 2000. Release of that information-one day before the DoJ released legal briefs chastising Microsoft’s handling of Kerberos-did little to relieve the criticism. Instead, it released a storm of further complaints about the restrictions Microsoft has placed on the information, and led to Microsoft serving legal documents on a popular open-source Web site.

Microsoft’s implementation of Kerberos, a public standard for authenticating users and controlling access to resources on a network, makes use of a vendor-definable field in the Kerberos protocol specification. Microsoft’s use of the field is not the issue, but the fact that until April 27 Microsoft refused to tell other vendors or public standards bodies how entries in the field work to control access to resources on a Windows 2000 network. Without this information, organizations using Kerberos to provide Kerberos authentication and security on Windows 2000 servers must use a Windows 2000–based Kerberos server to do it; existing Unix-based Kerberos servers, for example, could not be used.