Can someone please help me with the following as I have never found an answer to this question
As far as I know/have heard/read etc.
In a Windows Active Directory Domain environment, if I (the user) want to authenticate to a domain controller (logon) using Kerberos then the computer I am login in from must be domain joined. In other words the computer has to already share a secure (symmetric key/computer account password) with the DC in order that the computer authenticates in the first instance with the DC, and sets up a secure channel over which data can be encrypted to/from the computer and DC (leave Kerberos armoring to one side a moment as not relevant to my question).
So the computer has a secure connection to the DC (which I believe most people refer to as a secure-pipes connection, due to the pipes protocol).
The thing is I do not see why this secure connection is require for a user to perform Kerberos authentication to a DC for the (e.g. from a standalone workstation) following reason
As long as the DC/KDC know the users long term key (password hash) e.g. entered by an Admin when the user was created, and the user know to password too. The the usual Kerberos Pre-authentication (encrypt time stamp with hash) can take place between the user and the DC (along with the rest of the Kerberos handshake protocol exchange). For example a TGT along with a session key can be delivered to the user (session key encrypted using user password has as the key). etc....
So why on earth does it state everywhere I have come across this you need an existing secure connection (domain joined) computer before the user can use kerberos to authenticate themselves?
I would appreciate it if someone could explain (what I am missing, if anything), and if I am pointed to a URL please make it one with the answer in it to this specific question rather than a general discussion on Kerberos
Thanks very much everyone
CXMelga