> Active Directory (invented at MIT)
replyAD was invented by Microsoft, gluing together Kerberos (from MIT) and LDAP (from UMich). If it was from MIT, we wouldn't have had Windows 2000's infamous proprietary PAC.
History of Active Directory (derived from MS Exchange), see https://hardcoresoftware.learningbyshipping.com/p/bonus-the-...
reply> you actually need to get a service ticket (TGS)
replyIf we're being pedantic, TGS ("ticket granting server") is the service you get service tickets from. Service tickets are (occasionally) abbreviated ST, as you'd expect. The TGS is a logical part of the KDC, distinguished from the AS which grants TGTs.
Kerbernerd revealed.
replyIt’s been ages since I stood up a Kerberos realm, but… would it be possible to allow RC4 only for specific users? Like encrypt win98server@example.com’s heavily locked down account with RC4, but everyone else gets AES-256?
replyYes you can enable specific encryption types for users. It's not super common, but it can be done.
replyJust to add to this, the salt (domain [realm] and username) is only used to generate the AES keys, not the RC4. The RC4 key is simply the NT hash.
replyAnd thanks for the shout out!