Kerberos Survival Guide: Columbus 2015
-
Upload
jd-wade -
Category
Technology
-
view
85 -
download
2
Transcript of Kerberos Survival Guide: Columbus 2015
![Page 1: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/1.jpg)
Kerberos Survival Guide
Presented by:
JD Wade, SharePoint Consultant, MCITP
Mail: [email protected]
Blog: http://wadingthrough.com
LinkedIn: http://www.linkedin.com/in/jdwade
Twitter: http://twitter.com/JDWade
![Page 2: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/2.jpg)
Agenda
•Overview
•Logon Process
•Accessing a Web Site
•Keep in Mind
•Delegation
•Tools
•Resources
![Page 3: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/3.jpg)
Kerberos
Massachusetts Institute of Technology
ClientServer
Trusted Third Party
![Page 4: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/4.jpg)
Details Out of Scope
• Renewing tickets
• Ticket expiration
• Keys
• Authenticator
• TGT Structure
• Service Ticket Structure
• Encryption/Decryption
• Multiple domains/forests
![Page 5: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/5.jpg)
Client to server or server to server
Windows = Kerberos V5
Safe on open networks
Default authentication W2K+ domains
Ticket
![Page 6: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/6.jpg)
Dependencies
SPN
O/S
Time Service
![Page 7: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/7.jpg)
Service Principal Name
Service Class Host Name Port
HTTP/website:80
![Page 8: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/8.jpg)
Service Classes allowed by host
alerter
http
policyagent
scm
appmgmt
ias
protectedstorage
seclogon
browser
iisad
rasman
snmp
cifs
min
remoteaccess
spooler
cisvc
messenger
replicator
Tapisrv
clipsrv
msiserver
rpc
time
dcom
mcsvc
rpclocator
trksvr
dhcp
netdde
rpcss
trkwks
dmserver
netddedsm
rsvp
ups
dns
netlogon
samss
w3svc
dnscache
netman
scardsvr
wins
eventlog
nmagent
scesrv
www
eventsystem
oakley
Schedule
fax
plugplay
http://servername
![Page 9: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/9.jpg)
Kerberos• Benefits
• Delegated Authentication
• Interoperability (non-Microsoft)
• More Efficient Authentication
• Mutual Authentication
• Server to client
• Client to server
![Page 10: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/10.jpg)
Logon Process
![Page 11: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/11.jpg)
KDC
![Page 12: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/12.jpg)
KDC
![Page 13: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/13.jpg)
KDC
SPN
host/workstationname
![Page 14: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/14.jpg)
KDC
![Page 15: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/15.jpg)
Access Web Site
![Page 16: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/16.jpg)
401
![Page 17: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/17.jpg)
SPN
http/www.website.com
![Page 18: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/18.jpg)
![Page 19: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/19.jpg)
Keep In Mind
![Page 20: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/20.jpg)
Classic Claims
![Page 21: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/21.jpg)
• IIS – Chatty by default
• IIS6 – See MS KB 917557
• IIS7/8 – See MS KB 954873
![Page 22: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/22.jpg)
![Page 23: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/23.jpg)
Delegation
![Page 24: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/24.jpg)
Delegation
![Page 25: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/25.jpg)
Srv1
Datamart
Srv2
Cubes
Srv3 Srv4
Web
![Page 26: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/26.jpg)
Srv1
Datamart
Srv2
Cubes
Srv3 Srv4
Web
![Page 27: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/27.jpg)
Srv1
Datamart
Srv2
Cubes
Srv3 Srv4
Web
![Page 28: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/28.jpg)
FBA Kerberos
Protocol Transition
![Page 29: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/29.jpg)
Protocol Transition
![Page 30: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/30.jpg)
Srv1
Datamart
Srv2
Cubes
Srv3 Srv4
Web
![Page 31: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/31.jpg)
• Uses Protocol Transition (Forest/domain limited until Server 2012)
(Constrained Only)
• Excel Services
• Visio Services
• PerformancePoint
• InfoPath Form Services
• SQL SSRS 2012
• Access Service 2013
• Does NOT Use Protocol Transition (Forest limited until Server 2012)
(Unconstrained or Constrained)
• SQL Reporting Services 2008 R2
• BCS
• Project Server
• Doesn’t usually require Kerberos
• PowerPivot for SharePoint Server
![Page 32: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/32.jpg)
• New PowerShell parameter
• PrincipalsAllowedToDelegateToAccount
• Constrained Delegation across forests and domains
• Must have at least one W2K12 DC in all domains involved
• SharePoint must be running on W2K12 servers
• Backend server must be W2K3 or later
• Must apply MS KB 2665790 to all W2K8 and W2K8 R2 DCs
• Must not have W2K3 DCs
• New KDC operational event log in W2K12
• Application and Services/Microsoft/Windows/Kerberos-Key-Distribution-Center/Operational
• New Kerberos operational event log in W2K12
• Application and Services/Microsoft/Windows/Security-Kerberos/Operational
• Performance counters added
Windows 2012
![Page 33: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/33.jpg)
• Kerberos Authentication Tester
• http://blog.michelbarneveld.nl/media/p/33.aspx
• KList
• http://www.microsoft.com/download/en/details.aspx?id=11583
• Kerberos PowerShell Module
• https://gallery.technet.microsoft.com/scriptcenter/Keberos-Module-3a6ab12a
• SharePoint Kerberos Buddy
• DelegConfig v2
Tools
![Page 34: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/34.jpg)
• Kerberos Survival Guide wiki page
Named my session that title before the wiki page existed
• Kerberos for Microsoft BI wiki page
• Microsoft BI Authentication and Identity Delegation paper
• The Final Kerberos Guide for SharePoint Technicians
Resources
![Page 35: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/35.jpg)
Steering Committee SpeakersVolunteers
http://www.clker.com/cliparts/p/f/5/k/n/b/superhero-outline-bw-hi.png
![Page 36: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/36.jpg)
Steering Committee SpeakersVolunteers
SharePint
Elevator Brewery and Draught
161 N. High St, Columbus, OH 43215
www.ElevatorBrewing.com
6:00pm…..
![Page 37: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/37.jpg)
Q & A
Presentation available for download at
http://wadingthrough.com/presentations
http://www.hrizns.com
http://twitter.com/jdwade
![Page 38: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/38.jpg)
Appendix
![Page 39: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/39.jpg)
References• Ken Schaefer’s Multi-Part Kerberos Blog Posts:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx
• What Is Kerberos Authentication?
http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx
• How the Kerberos Version 5 Authentication Protocol Works
http://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx
• Explained: Windows Authentication in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647076.aspx
![Page 40: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/40.jpg)
References• Kerberos Authentication Tools and Settings
http://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx
• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff649317.aspx
• Spence Harbar’s Blog
http://www.harbar.net
![Page 41: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/41.jpg)
• Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT.
• Authentication is the process of proving your identity to a remote system.
• Your identity is who you are, and authentication is the process of proving that. In many
systems your identity is your username, and you use a secret shared between you and
the remote system (a password) to prove that your identity.
• User password is encrypted as the user key. User key is stored in credentials cache. Once the
logon session key is received, the user key is discarded.
• Service password is encrypted as the service key.
• KDCs are found through a DNS query. Service registered in DNS by DCs.
![Page 42: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/42.jpg)
• Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember
KDC
• Another reason for simplification: encryption upon encryption upon encryption…just remember it is
encrypted
• This is a Windows-centric Kerberos presentation
• Load balanced solutions need service account
• All web applications hosted using the same SPN have to be hosted with the same account
• Use A records, not CNAME records
![Page 43: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/43.jpg)
• Terms
• Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs
share a long term key across all DCs.
• KDC security account database – In Windows, it is Active Directory
• Authorization Service (AS) – part of the KDC
• Ticket Granting Service (TGS) – part of the KDC
• Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request
service tickets, and meant only for use by the ticket granting service. Keeps the user from having
to enter password each time a ticket is requested.
![Page 44: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/44.jpg)
Tickets• Ticket Granting Ticket (TGT)
• A user's initial ticket from the authentication service
• Used to request service tickets
• Meant only for use by the ticket-granting service.
• Service ticket for the KDC (service class = krbtgt)
• Service Ticket
• Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the
target server or service.
![Page 45: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/45.jpg)
• Troubleshooting
• Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long
and then they expire (7 day default), then password has to be re-entered.
• Remember that authenticators contain the current time. Check for time sync issues.
![Page 46: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/46.jpg)
• Request TGT (Remember there is even more complexity)
1. User (client) logs into workstation entering their password.
2. Client builds an authentication service request containing the user’s username (KPN), the SPN
of the TGS, and encrypts the current time using the user’s password as an authenticator.
3. Client sends these three items to the KDC.
4. KDC get user’s password from AD, decrypts time and verifies it is valid.
5. AS generates a logon session key and encrypts with the user’s password. AS generates a
service ticket which contains a logon session key and the user’s KPN encrypted with the AS
shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
![Page 47: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/47.jpg)
• Request TGT (Remember there is even more complexity)
6. KDC sends both to the client.
7. Client decrypts logon session key using its password and stores the logon session key in cache.
The client stores the TGT in cache.
![Page 48: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/48.jpg)
• Access Service (Remember there is even more complexity)
1. User (client) encrypts the current time using the logon session key in cache creating an
authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN),
and the TGT to the TGS.
2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session
key is used to decrypt the authenticator and confirms the time is valid.
3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts
the service session key using the logon session key. TGS uses server session key to generate
service ticket and encrypts it using service’s password.
4. TGS sends service session key and the service ticket to the client.
![Page 49: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/49.jpg)
• Access Service (Remember there is even more complexity)
5. Client decrypts service session key using cached logon session key, adds current time (as well
as other items), and encrypts with the service session key to create an authenticator.
6. Client sends ticket and authenticator to remote server which runs service.
7. Service decrypts service ticket accessing the server session key and the KPN. Using the service
session key, the service decrypts the authenticator and confirms the current time is valid. A
Windows access token is generated
8. (Optional) If client requests mutual authentication, service encrypts current time using the
service session key creating an authenticator and sends to the client.
9. Clients decrypts authenticator and validates time.
![Page 50: Kerberos Survival Guide: Columbus 2015](https://reader033.fdocuments.in/reader033/viewer/2022051516/55d314c1bb61ebc6268b45c9/html5/thumbnails/50.jpg)
Common Issues that break Kerberos
• Times are out of sync – authenticators contain current time
• Missing SPN
• Duplicate SPN
• SPN assigned to wrong service account
• IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)
• IIS 7 – remember Kernel mode authentication and check settings
• Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)
• IE and non-default ports