Q: What is a replay attack and how does the Kerberos authentication protocol protect against it?

A: A replay attack occurs when an intruder steals a packet from the network and forwards that packet to a service or application as if the intruder was the user who originally sent the packet. When the packet is an authentication packet, the intruder can use the replay attack to authenticate on another person's behalf and consequently access that person's resources or data.

To protect against replay attacks, the Kerberos authentication protocol uses the concept of an authenticator. A Kerberos authenticator is embedded in the Kerberos protocol exchanges that occur between the authenticating client and the authentication server (in Windows, the domain controller—DC). It holds additional authentication data, such as the ticket lifetime, and most important, the client's timestamp. When the Kerberos logic on a DC or resource server validates a Kerberos authentication message, it will always check the authenticator's timestamp. If the timestamp is earlier or the same as a previous authenticator, the server-side Kerberos logic will reject the packet because it considers it part of a replay attack and user authentication will fail. The Kerberos server-side logic also compares the timestamp in the authenticator to the local server time. If the timestamp in the authenticator isn't within five minutes of the time on the server, it will also reject the packet. These five minutes are referred to as the Kerberos time skew. In Windows, the time skew defaults to five, but you can change this value if desired. To do so, you use the Maximum tolerance for computer clock synchronization Group Policy Object (GPO) setting located in the GPO folder Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.

All this explains why it has become very important to keep the computer clocks synchronized in a Windows Active Directory (AD) forest, starting with Windows 2000 (when Kerberos became the default Windows authentication protocol). For that purpose, Windows includes the Windows Time service, which is crucial to the proper functioning of the Kerberos authentication services. To keep the system clocks on all computers in a Windows domain within five minutes, the Windows Time service uses the Network Time Protocol (NTP). OSs prior to Windows Server 2003 use the Simple Network Time Protocol (SNTP), which is the predecessor of NTP.