It has always been my understanding that Kerberos did not provide authorization to resources. After watching Management Identification and Authentication part 3, I wanted to clarify that. Maybe there are two parts to the authorization OR I've just always been wrong which is very likely. When a client requests access to an object, sends the TGT to the KDC, is the KDC checking their read/write NTFS permissions? Or just whether or not they are "authorized" to access the resource then the local resource server determines what type of access they have to the resource? Or is the KDC checking the actual permissions to the resource as well?
CISSP - Kerberos
I hope all is well.
Kerberos is focused on Authentication NOT Authorization.The server that ultimately is the target of the ST will validate the ST and then once it is deemed good, the appropriate permissions, if any are needed, would be verified by that server and the user or the Non Person Entity (NPE) proxying on behalf of the user, would be allowed access with whatever permissions they are supposed to have.
If you need/want a great overview, although it is a little dated, on how this is implemented and the specific steps and the API calls used to do it in the Microsoft implementation, take a look here:
Please let me know if you have any other questions as you continue your studies.
Good Luck !!
@Adam-Gordon I was still trying to think mile wild, inch deep on this one as well. If asked Kerberos provides which of the following, select all.... would I select Authorization? That was my thinking and why I was wanting to get clarification.
Good thought process and ALWAYS good to verify and double check to ensure you are understanding things accurately as you study.
Always ask the obvious question, that's the only way to get the obvious answer !! :)