47
Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: [email protected] Blog: http://wadingthrough.wordpress.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade

Kerberos survival guide

  • Upload
    jd-wade

  • View
    1.130

  • Download
    6

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Kerberos survival guide

Kerberos Survival Guide

Presented by:

JD Wade, SharePoint Consultant, MCITP

Mail: [email protected]

Blog: http://wadingthrough.wordpress.com

LinkedIn: JD Wade

Twitter: http://twitter.com/JDWade

Page 2: Kerberos survival guide

Who is JD Wade? • SharePoint Consultant since 2007

• Certified KnowledgeLake Partner

• With Horizons since 2005

• Member of SharePoint 2007 and 2010 TAP

• Over 10 years of IT experience

• Technical Editor for book SharePoint 2010

Disaster Recovery

http://tinyurl.com/SPDRBook2010

• Loves anything related to sound

• Probably has one of the driest senses of humor in

the room

Page 3: Kerberos survival guide

HashTag: #SPSColumbus

Welcome to SharePoint Saturday – Columbus, OH

• Please turn off all electronic devices or set them to vibrate.

• If you must take a phone call, please do so in the hall so as not to disturb others.

• Open wireless access is available

• Feel free to “tweet and blog” during the session

• Thanks to our Platinum Sponsors:

Thank you for being a part of the First SharePoint Saturday in Columbus!

Page 4: Kerberos survival guide

Agenda

•Overview

•Logon Process

•Accessing a Web Site

•Troubleshooting

•Kerberos Demos

•Delegation and Demos

Page 5: Kerberos survival guide

Kerberos

Massachusetts Institute of Technology

Page 6: Kerberos survival guide

Details Out of Scope •Renewing tickets

•Ticket expiration

•Keys

•Authenticator

•TGT Structure

•Service Ticket Structure

•Encryption/Decryption

•Multiple domains/forests

Page 7: Kerberos survival guide
Page 8: Kerberos survival guide

Dependencies

Page 9: Kerberos survival guide
Page 10: Kerberos survival guide

Service Principal Name

Service Class Host Name Port

Page 11: Kerberos survival guide

Service Classes allowed by host

alerter

http

policyagent

scm

appmgmt

ias

protectedstorage

seclogon

browser

iisad

rasman

snmp

cifs

min

remoteaccess

spooler

cisvc

messenger

replicator

Tapisrv

clipsrv

msiserver

rpc

time

dcom

mcsvc

rpclocator

trksvr

dhcp

netdde

rpcss

trkwks

dmserver

netddedsm

rsvp

ups

dns

netlogon

samss

w3svc

dnscache

netman

scardsvr

wins

eventlog

nmagent

scesrv

www

eventsystem

oakley

Schedule

fax

plugplay

Page 12: Kerberos survival guide

Kerberos •Benefits

•Delegated Authentication

•Interoperability

•More Efficient Authentication

•Mutual Authentication

Page 13: Kerberos survival guide

Logon Process

Page 14: Kerberos survival guide

KDC

Page 15: Kerberos survival guide

KDC

Page 16: Kerberos survival guide

KDC

SPN

Page 17: Kerberos survival guide

KDC

Page 18: Kerberos survival guide

Access Web Site

Page 19: Kerberos survival guide

401

Page 20: Kerberos survival guide

SPN

Page 21: Kerberos survival guide
Page 22: Kerberos survival guide

<system.webServer>

<security>

<authentication>

<windowsAuthentication enabled="true" useAppPoolCredentials="true" />

</authentication>

</security>

</system.webServer>

Page 23: Kerberos survival guide
Page 24: Kerberos survival guide

Troubleshooting

Page 25: Kerberos survival guide
Page 26: Kerberos survival guide

Demos

Page 27: Kerberos survival guide

Delegation

Page 28: Kerberos survival guide
Page 29: Kerberos survival guide

FBA Kerberos

Page 30: Kerberos survival guide

References •Ken Schaefer’s Multi-Part Kerberos Blog Posts:

http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10

/20/512.aspx

•What Is Kerberos Authentication?

http://technet.microsoft.com/en-

us/library/cc780469%28WS.10%29.aspx

•How the Kerberos Version 5 Authentication Protocol

Works

http://technet.microsoft.com/en-

us/library/cc772815%28WS.10%29.aspx

•Explained: Windows Authentication in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ff647076.aspx

Page 31: Kerberos survival guide

References •Kerberos Authentication Tools and Settings

http://technet.microsoft.com/en-

us/library/cc738673%28WS.10%29.aspx

•How To: Use Protocol Transition and Constrained

Delegation in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ff649317.aspx

•Spence Harbar’s Blog

http://www.harbar.net

Page 32: Kerberos survival guide

HashTag: #SPSColumbus

Session Evaluation

• Please complete and turn in your Session Evaluation Form so we can improve future events.

• Presenter:

– xxxxxxxxxxxxxxxxxxx

• Session Name:

– xxxxxxxxxxxxxxxxxxx

Page 33: Kerberos survival guide

HashTag: #SPSColumbus

Ongoing Activities

• Remember to visit the Exhibit Hall

– Visit Sponsor booths to be eligible for raffle prizes at the closing session!

• Stop by the community table to find out about local activities and events in your area.

• Make sure you stick around for the closing session to turn in your evaluation forms to be eligible for the raffles

Page 34: Kerberos survival guide

HashTag: #SPSColumbus

Thanks to our Sponsors

Page 35: Kerberos survival guide

Q & A

Page 36: Kerberos survival guide

Appendix

Page 37: Kerberos survival guide

•Kerberos is an open authentication protocol. Kerberos v5

was invented in 1993 at MIT.

•Authentication is the process of proving your identity to a

remote system.

• Your identity is who you are, and authentication is

the process of proving that. In many systems your

identity is your username, and you use a secret

shared between you and the remote system (a

password) to prove that your identity.

•User password is encrypted as the user key. User key is

stored in credentials cache. Once the logon session key is

received, the user key is discarded.

•Service password is encrypted as the service key.

•KDCs are found through a DNS query. Service registered

in DNS by DCs.

Page 38: Kerberos survival guide

•Showing detail behind what is happening inside of KDC

but for day-to-day, use can just remember KDC

•Another reason for simplification: encryption upon

encryption upon encryption…just remember it is encrypted

•This is a Windows-centric Kerberos presentation

•Load balanced solutions need service account

•All web applications hosted using the same SPN have to

be hosted with the same account

•Use A records, not CNAME records

Page 39: Kerberos survival guide

•Terms

•Key Distribution Center (KDC) – In Windows AD, KDC

lives on domain controllers (DC), KDCs share a long term

key across all DCs.

•KDC security account database – In Windows, it is Active

Directory

•Authorization Service (AS) – part of the KDC

•Ticket Granting Service (TGS) – part of the KDC

•Ticket Granting Ticket (TGT) - A user's initial ticket from

the authentication service, used to request service tickets,

and meant only for use by the ticket granting service.

Keeps the user from having to enter password each time a

ticket is requested.

Page 40: Kerberos survival guide

Tickets •Ticket Granting Ticket (TGT)

•A user's initial ticket from the authentication service

•Used to request service tickets

•Meant only for use by the ticket-granting service.

•Service ticket for the KDC (service class = krbtgt)

•Service Ticket

•Enables the ticket-granting service (TGS) to safely

transport the requester's credentials to the target

server or service.

Page 41: Kerberos survival guide

Tools •Knowledge

•SetSPN

•Windows Security Logs

•Windows 2008 ADUC or ADSIEdit

•Kerbtray or Klist

•Netmon and Fiddler

•IIS Logs and IIS7 Failed Request Tracing

•LDP

•Kerberos Logging

•Event Logging and/or Debug Logs

Page 42: Kerberos survival guide

•Troubleshooting

• Have user logon and logoff if they don’t regularly:

TGTs are only renewable for so long and then they

expire (7 day default), then password has to be re-

entered.

• Remember that authenticators contain the current

time. Check for time sync issues.

Page 43: Kerberos survival guide

•Common Issues

• Missing SPN

• Duplicate SPN

• SPN assigned to wrong service account

• Times are out of sync

• Client TGT expired (7 days)

• IE and non-default ports

Page 44: Kerberos survival guide

•Request TGT (Remember there is even more complexity)

1. User (client) logs into workstation entering their

password.

2. Client builds an authentication service request

containing the user’s username (KPN), the SPN of the

TGS, and encrypts the current time using the user’s

password as an authenticator.

3. Client sends these three items to the KDC.

4. KDC get user’s password from AD, decrypts time and

verifies it is valid.

5. AS generates a logon session key and encrypts with

the user’s password. AS generates a service ticket

which contains a logon session key and the user’s KPN

encrypted with the AS shared key. This is a special

service ticket called a Ticket Granting Ticket (TGT).

Page 45: Kerberos survival guide

•Request TGT (Remember there is even more complexity)

6. KDC sends both to the client.

7. Client decrypts logon session key using its password

and stores the logon session key in cache. The client

stores the TGT in cache.

Page 46: Kerberos survival guide

•Access Service (Remember there is even more complexity)

1. User (client) encrypts the current time using the logon

session key in cache creating an authenticator and

sends the authenticator, the user’s KPN, the name of

the target service (SPN), and the TGT to the TGS.

2. TGS decrypts the TGT using its shared key to access

the logon session key. The logon session key is used to

decrypt the authenticator and confirms the time is valid.

3. TGS extracts the user’s KPN from the TGT. TGS

generates a service session key and encrypts the

service session key using the logon session key. TGS

uses server session key to generate service ticket and

encrypts it using service’s password.

4. TGS sends service session key and the service ticket

to the client.

Page 47: Kerberos survival guide

•Access Service (Remember there is even more complexity)

5. Client decrypts service session key using cached logon

session key, adds current time (as well as other items),

and encrypts with the service session key to create an

authenticator.

6. Client sends ticket and authenticator to remote server

which runs service.

7. Service decrypts service ticket accessing the server

session key and the KPN. Using the service session

key, the service decrypts the authenticator and confirms

the current time is valid. A Windows access token is

generated

8. (Optional) If client requests mutual authentication,

service encrypts current time using the service session

key creating an authenticator and sends to the client.

9. Clients decrypts authenticator and validates time.