Kerberos presentation

2,459 views
2,253 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,459
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
141
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Kerberos presentation

  1. 1. Kerberos Introduction Kerberos in Greek mythology was the three-headed dog guarding the gates to the underworld Kerberos was developed as part of MITs Athena project and taken on board as the default authentication protocol by MS in Windows 2000. All flavours of Kerberos provide authentication however the MS implementation does provide extensions for authorization.
  2. 2. So what does that mean? Provides a mechanism for authentication Based on Tickets THE default Based on a trusted and containing clientauthentication protocol third party model mutual authentication credentials encrypted for AD. between a client and a with Shared keys. server
  3. 3. Authentication Interoperability ImpersonationIncreased authentication efficiencies (Its just faster) Mutual authentication(It can verify you and you can verify it) Protocol Transition (first NTLM then Kerberos) Constrained Delegation (Impersonation with Rules) Smartcards
  4. 4. The KDC• KDC trusted 3rd party, provides scalability• KDC made up of 2 sub services •(AS) Authentication Service, •(TGS) Ticket Granting Service•The KDC holds a copy of each entities MasterKey (Symmetric Crypto)•The KDC issues the Keys, encrypted with theMaster Key to each entity
  5. 5. WWW.K2.COM SPNs Service DNS Entry FQDN Service Account SPNs Blackpearl k2server.k2.com K2K2serviceaccount K2server/ k2server.k2.com:5252 Server K2server/k2server:5252 K2HostServer/ k2server.k2.com:5555 K2HostServer/ k2server:5555 Blackpearl k2wks.k2.com K2K2workspaceaccount HTTP/k2wks.k2.com Web HTTP/k2wks Components SSRS 2005 ssrs.k2.com K2SSRSserviceaccount HTTP/ssrs HTTP/ssrs.k2.com Web App SharePoint.k2.com K2MOSSserviceaccount HTTP/SharePoint HTTP/SharePoint.k2.com SQL Server K2sql.k2.com K2SQLserviceaccount MSSQLSvc/k2sql:1433 MSSQLSvc/k2sql.k2.com:1433
  6. 6. Delegation•Windows 2000 the users TGT is passed to theservice to facilitate delegation •Windows 2003 the service ticket can be used to request a new ticket•Windows 2000 allowed only for non constraineddelegation model •Windows 2003 introduced constrained delegation, this prevents user delegation to any system•Constrained delegation is only available whenrunning 2003 native!•To check attribute on AD account holding thedelegate to SPNs • “msDS-AllowedToDelegateTo” (see Adsiedit.msc)
  7. 7. WITHOUT KERBEROSWWW.K2.COM NTLM (Anonymous) K2 CONFIDENTIAL
  8. 8. WWW.K2.COM Kerberos Integrated SQL Kerberos Kerberos K2 CONFIDENTIAL
  9. 9. 1. Plan2. Understand all the services in play and how they will talk amongst each other3. Get service accounts for each service (best practice should be 1 per a service!)4. Get machine A NAME records and any Host Headers in IIS (Use A NAME records and avoid port numbers in HTTP requests)5. Generate required SPNs (Script?)6. Enable user accounts for delegation7. Determine the Delegation8. Is PT required?
  10. 10. system.webServer/security/authentication/Windows-Authentication<windowsAuthentication enabled="true" useKernelMode="true"useAppPoolCredentials="true" />
  11. 11. MSSQLSvc/FQDN:[port | instancename],MSSQLSvc/FQDN:port | MSSQLSvc/FQDN
  12. 12. Troubleshooting NetworkAuditing Logging Debug Tracing
  13. 13. AuditingHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters -“LogLevel” DWORD value of 1-For Temporary use only
  14. 14. Logging-“LogToFile” DWORD value 1, -log to file “C:WindowsSystem32lsass.log”
  15. 15. Debug-“KerbDebugLevel” -DWORD value c0000043 (this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff).
  16. 16. Some common Kerberos failure codes 0x6 •KDC_ERR_C_PRINCIPAL_UNKNOWN •STATUS_NO_SUCH_USER 0x7 •KDC_ERR_S_PRINCIPAL_UNKNOWN •Server not found in Kerberos database 0x8 •- KDC_ERR_PRINCIPAL_NOT_UNIQUE •Multiple principal entries in database 0x17 •KDC_ERR_KEY_EXPIRED •Password has expired – change password to reset 0x25 •KRB_AP_ERR_SKEW •Clock skew too great 0x34 •KRB_ERR_RESPONSE _TOO_BIG •Response too big for UDP, retry with TCP
  17. 17. Troubleshooting-Use the Windows security log, look for 540events showing you the protocol used and anytransited services-Check for duplicate SPNs-Check SPN Syntax-Check Delegation Settings-ADSI is your friend
  18. 18. Multiforest-Kerberos since 2003 is supported acrossforests via the use of forest level trustintroduced in Windows 2003-Delegation across forests is not supported-FQDNs required to resolve across forests-Root hints used to find target KDC
  19. 19. http://technet.microsoft.com/en-us/library/bb742516.aspx

×