Kerberos Underworld

Ondrej Sevecek | MCM: Directory | MVP: Security

ondrej@sevecek.com | www.sevecek.com

AN INTRODUCTIONKerberos Underworld

The topics

• The hell of windows authentication mechanisms• Basic, NTLM, Kerberos• Certificates and smart cards or tokens

• How they work differently

• What is better or worse

• Weird and weirder things that you may not know

And the environment

• Windows 2000 and newer

• Active Directory domains

• Maybe some trusts or multidomain forests

• Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers

NETWORK INTERACTIONSKerberos Underworld

Local Logon

DC2000+

Client2000+

KerberosLDAPSMB

TGT: User

GPO List

GPO Download

TGS: LDAP, CIFS

CTRL-ALT-DEL Password

• Password is stored in memory only• LSASS process

• In the form of MD4 hash• never given out

Authentication Interactions in General

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

DC2000+

SMBD/COMTGT: User

In-bandTGS: Server

NTLM Occasional PAC

Validation

TGS: Server

D/COM Dynamic TCP

NTLMPass-through

The three authentication methods

• Basic• plain-text password• results in Kerberos authentication

• NTLM• hashed password (MD4) method from the past• LM (DES), NTLM (DES), NTLMv2 (MD5)

• Kerberos• hashed password (MD4) plus RC4/DES or AES• mutual authentication and delegation• can use certificates instead of passwords

Basic and RDP Network Logon

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

In-bandclear text

KerberosTGT: User

NTLM Network Logon

DC2000+

Client2000+

Server2000+

App Traffic

DC2000+

SMBD/COM

In-bandNTLM hash

Pass-through NTLM hash

D/COM Dynamic TCP

Kerberos Network Logon (basic principle)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

TGT: User

In-bandTGS: Server

TGS: Server

Kerberos Network Logon (complete)

DC2000+

Client2000+

Kerberos

Server2000+

App Traffic

DC2000+

SMBD/COMTGT: User

In-bandTGS: Server

Occasional PAC

Validation

TGS: Server

D/COM Dynamic TCP

PERFORMANCE COMPARISONKerberos Underworld

NTLM Network Logon

DC2000+

Client2000+

Server2000+

DC2000+

60 % CPU

55 % CPU

Kerberos Network Logon, no PAC Validation

DC2000+

Client2000+

Server2000+

DC2000+

60 % CPU

0 % CPU

Kerberos Network Logon with PAC Validation

DC2000+

Client2000+

Server2000+

DC2000+

60 % CPU

0 % CPU 14 % CPU

Basic Authentication

DC2000+

Client2000+

Server2000+

DC2000+

5 % CPU

0 % CPU

NTLM Performance Issues

DC

Client Server

7 concurren

t

ClientClient

Client

Client

Client

Client

40 sec.

NTLM Trusts

DC B

D\User A\Server

DC A

DC CDC D

Kerberos Trusts

DC B

D\User A\Server

DC A

DC CDC D

WE WANT KERBEROS, SO WHAT?Kerberos Underworld

Basic Facts

• Do not use IP addresses

• Configure SPN (service principal name)

• Have time in sync

• Use trusted identities to run services on Windows 2008 and newer• instead of AD user accounts• no PAC validation

• Enable AES with Windows 2008 DFL

Trusted Identities – Network Service

Trusted Identities – Service Accounts

Trusted Identities – AppPoolIdentity

Trusted Identities – Managed Service Account

IDENTITY ISOLATION FOR SERVICES

Kerberos Underworld

Identity Isolation

• Services on a single machine

• Services that access other back-end services

Windows Identities

Identity Password PAC Validation

Local Isolation

Network Isolation

Operating System

SYSTEM randomchanged 30 days

no Administratorsno isolation

no 2000

AD User Account administratorchanged???

yes Usersisolated

yes 2000

Network Service randomchanged 30 days

no Usersno isolation

no XP

Local Service no network credentials

no Usersno isolation

no XP

Service Account randomchanged 30 days

no Usersisolated

no Vista2008

Managed Service Account

randomchanged 30 days

no Usersisolated

yes 72008 R2

SMART CARD LOGONKerberos Underworld

Smart Card Logon

DC2000+

Client2000+

KerberosPKINIT

Server2000+

App Traffic

DC2000+

TGT: User

TGS: Server

Smart Card Logon and NTLM

DC2000+

Client2000+

Server2000+

NTLM Hash

DC2000+

TGT: User

TGS: Server NTLM Hash

Smart Card Logon and NTLM

DC2000+

Client2000+

Server2000+

NTLM Hash

DC2000+

TGT: User

TGS: Server NTLM Hash

NTLM Hash

DELEGATIONKerberos Underworld

Basic Delegation

ClientFront-End

Server

Back-End

Server

DC

Password

TGS: Back-End

TGT: User

Kerberos Delegation Options

Kerberos Delegation (Simplified)

DC

Client

TGT: User

TGS: Front-End

Front-End

Server

Back-End

Server

DC

TGS: Front-End

TGS: Back-End

Protocol Transition

ClientFront-End

Server

Back-End

Server

DC

TGS: Back-End

Nothing

Kamil

GROUP MEMBERSHIPKerberos Underworld

Group Membership Limits

• AD Group in forest with 2000 FFL• 5000 direct members limit

• AD Group in forest with 2003+ FFL• unlimited membership

• Kerberos Ticket• network transport• limited to 8 kB on 2000 and XP• up to 12 kB on 2003+

• HTTP.SYS header limits• 16 kB of Base-64 encoded tickets

• Access Token• local representation of a logon• up to 1025 groups including local and system

Kerberos Ticket (PAC)

Kamil S-1-5-Prague-1158

Prague Marketing Global 3082 8 Bytes

Prague Sales Global 3083 8 Bytes

Paris Visitors Domain LocalParis

S-1-5-Paris-2115 40 Bytes

Roma IS Domain LocalRoma

S-1-5-Roma-1717 40 Bytes

Prague Documents Domain LocalIDTT

S-1-5-Prague-3084 40 Bytes

Business Owners UniversalIDTT

3085 8 Bytes

Employees UniversalParis

S-1-5-Paris-2116 40 Bytes

TAKEAWAYKerberos Underworld

Takeaway

• Kerberos is most secure, flexible and performance efficient

• Don’t be afraid and play with them!

Ondrej Sevecek | MCM: Directory | MVP: Security

ondrej@sevecek.com | www.sevecek.com

Don’t forget to submit your feedback and win a great Nokia smartphone and Kindle e-reader!