> From: [email protected] [mailto:[email protected]] On Behalf > Of Richard Chycoski > > Centrify - <http://www.centrify.com> - Commercial product
I said concentric, and I meant centrify. Richard is right. > The most expensive (system-loading) function on AD is the Kerberos > authentication, as it involves cryptographic calculations. I will agree with this technically, and disagree with it practically. Meaning: True it's cryptographic and expensive, but the result is a ticket-granting-ticket. The cryptographic part happens once per user and once per system, every ... 8 hours? configurable. And all the in-between times, the server doesn't even need to be involved. Kind of like DNS caching or DHCP leases. Do it once and it's valid for ___ length of time. Kerberos is really impressive in terms of security enhancement. Passwords never go across the network, even when you're authenticating for the first time. All authentication is done by tickets, which are encrypted, signed, and time limited. All the data going across the network is random bits, which can only have meaning temporarily, and can only be unlocked using a ticket that was only possible to decrypt originally using your secret password as a private key. Sign-on once, and you're pre-authenticated for everything you're doing that day. Web sites, mail servers, file servers, etc, simply know who you are, securely, and without any passwords being typed in or cached anywhere. > Fortunately, > you normally don't see a lot of simultaneous authentication happening > as > credentials tend to be cached on the clients for long periods of time. Ah. Yes. Now I wish I read the whole message before I hit reply. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
