2. Who's on First? How can Abbot authenticate that Costello is talking? How can Abbot make sure that Costello is on First?
3. Kerberos the three-headed dog Authentication protocol named after a mythical three-headed dog: Key Distribution Center (KDC) The client user The accessed server Came out of MIT Adopted by MS AD to replace NTLM (and failed to do so)
4. How does it work?
5. How does it work? User login by entering username and password
6. How does it work?
7. How does it work? KDC contacts AD to authenticate the user and gather all groups he posses
8. How does it work?
9. How does it work? Windows Security Event 4768 event logged for the user from source ip
10. How does it work? Windows Security Event 4768 event logged for the user from source ip Client machine caches the TGT This is done once per session (until TGT expiration)
11. How does it work? Now the user wants to access server B
12. How does it work?
13. How does it work? KDC validate the request (check encryption validity)
14. How does it work?
15. How does it work? Windows Security Event 4769 event logged for the user from source ip to computer B
16. How does it work?
17. How does it work? Validate the ticket authenticity: decrypt the service ticket with computer B ticket
18. So whats new? Scalable Servers do not need to contact KDC to authenticate users Only users and machine account authenticate with the KDC, once per 10h of activity Secure Passwords are not sent over the wire Ticket based authentication based on certificates trusts Advanced Features Single Sign-On Delegation Cross Domain Authentication
19. Wait, machines need to authenticate? Yes!! Need to ensure that a Service Ticket is addressed and used only by the destination computer The Service Ticket is encrypted by the machine account session key (shared with the KDC) Only the target machine can validate the Service Ticket This is why we see 4768 events and 4769 events for the machine account!
20. 4769 events with source=target When a user logins to a local computer, a session is created for him: It doesnt matter if it is a remote session, or local interactive session In both cases, the computer needs to know the users credentials (group membership and SID) It uses a Service Ticket addressed to the local computer to do so Works the same as if we contacted a remote servers This is why we get a 4769 event with source equals to target after each login
21. 4769 with target equals domain controller? After each login, the computer needs to pull Group Policy from AD: Need to access the AD domain controller and pull the policy To do so, we need to authenticate with the domain controller Authentication is done using Kerberos, just like any server access This is why we get a 4769 event with target equals to a domain controller after each login
22. So, what events are logged ? Event Type Account Source Destination 4768 Machine B Machine B 4768 Machine C Machine C 4768 User A Machine B 4769 User A Machine B Machine B 4769 User A Machine B Domain Controller 4769 User A Machine B Machine C Time
23. Delegation A mechanism to authenticate on behalf of the user to 3rd party resources Machine and account doing the delegation need to be trusted by AD Used by most Windows based web servers (i.e. SharePoint, Sites backed by SQL Server) User authenticate with the web server Service Ticket passed to the SQL server Source ip is the web server! 4769 event logged, with delegated flag set to true (ticket options field)
24. Cross Domain Authentication The client first authenticate with the local domain, asking for a referral ticket The referral ticket is encrypted by a inter-domain key The client sends the referral ticket to the remote domain The remote domain issues a Service Ticket granting access to the remote server