Full vs. Basic Federation

The Kerberos protocol provides a way to only authenticate users; that is, it ensures only that users and services are who they claim to be. It does not provide any standard way for users, once authenticated, to get authorized to use specific services.

Microsoft wanted to make Windows Kerberos domain controllers (KDCs), the servers that oversee Kerberos authentication, work seamlessly with the authorization process also used by Windows servers. Because of this, Microsoft’s implementation of Kerberos is slightly different from the standard.

Windows ACLs and SIDs

Windows 2000 accomplishes authorization by using access control lists (ACLs) to grant users the appropriate levels of access (e.g., read-only, read-write, delete, execute) to files and services. A user is identified not only individually, but also as a member of a group. For example, all members of the “sales” group may be able to write to an Excel spreadsheet containing sales data, but only the manager of the sales group may delete the spreadsheet. ACLs identify users, and the groups they belong to, by their Windows system identifiers (SIDs).