Kerberos survival guide SPS Kansas City
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Kerberos survival guide SPS Kansas City

  • 2,143 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,143
On Slideshare
2,140
From Embeds
3
Number of Embeds
2

Actions

Shares
Downloads
12
Comments
0
Likes
0

Embeds 3

http://www.techgig.com 2
http://paper.li 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Kerberos Survival Guide
    Presented by:
    JD Wade
    Senior SharePoint Consultant, MCTS, MCITP
    Mail: jd.wade@hrizns.com
    Blog: http://wadingthrough.com
    LinkedIn: JD Wade
    Twitter: http://twitter.com/JDWade
  • 2. Who is JD Wade?
    • SharePoint Consultant since 2007
    • 3. Certified KnowledgeLake Partner
    • 4. With Horizons since 2005
    • 5. Member of SharePoint 2007 and 2010 TAP
    • 6. Over 10 years of IT experience
    • 7. Technical Editor for book SharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010
    • 8. Loves anything related to sound
    • 9. Probably has one of the driest senses of humor in the room
  • Agenda
  • Kerberos
    Massachusetts Institute of Technology
  • 14. Details Out of Scope
  • 22. Dependencies
    SPN
  • 23.
  • 24. Service Principal Name
    Service Class
    Host Name
    Port
    HTTP/website:80
  • 25. Service Classes allowed by host
    alerter
    http
    policyagent
    scm
    appmgmt
    ias
    protectedstorage
    seclogon
    browser
    iisad
    rasman
    snmp
    cifs
    min
    remoteaccess
    spooler
    cisvc
    messenger
    replicator
    Tapisrv
     
     
    clipsrv
    msiserver
    rpc
    time
    dcom
    mcsvc
    rpclocator
    trksvr
    dhcp
    netdde
    rpcss
    trkwks
    dmserver
    netddedsm
    rsvp
    ups
    dns
    netlogon
    samss
    w3svc
    dnscache
    netman
    scardsvr
    wins
    eventlog
    nmagent
    scesrv
    www
    eventsystem
    oakley
    Schedule
    fax
    plugplay
  • 26. Kerberos
    • Benefits
    • 27. Delegated Authentication
    • 28. Interoperability
    • 29. More Efficient Authentication
    • 30. Mutual Authentication
    • 31. IIS – Chatty by default
    • 32. IIS6 – See MS KB 917557
    • 33. IIS7 – See MS KB 958473
  • Logon Process
  • 34. KDC
  • 35. KDC
  • 36. KDC
    SPN
  • 37. KDC
  • 38. Access Web Site
  • 39. 401
  • 40. SPN
  • 41.
  • 42. <system.webServer>   <security>      <authentication>         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />      </authentication>   </security></system.webServer>
  • 43.
  • 44. TroubleshootingKerberos
  • 45. Tools
    • Knowledge
    • 46. SetSPN
    • 47. Windows Security Logs
    • 48. Windows 2008 ADUC or ADSIEdit
    • 49. Kerbtray or Klist
    • 50. Netmon and Fiddler
    • 51. IIS Logs and IIS7 Failed Request Tracing
    • 52. LDP
    • 53. Kerberos Logging
    • 54. Event Logging and/or Debug Logs
  • Common Issues that break Kerberos
    • Times are out of sync – authenticators contain current time
    • 55. Missing SPN
    • 56. Duplicate SPN
    • 57. SPN assigned to wrong service account
    • 58. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)
    • 59. IIS 7 – remember Kernel mode authentication and check settings
    • 60. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)
    • 61. IE and non-default ports
  • Delegation
  • 62.
  • 63.
  • 64. FBA
    Kerberos
  • 65.
  • 66.
  • 67. References
    • Ken Schaefer’s Multi-Part Kerberos Blog Posts:http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx
    • 68. What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx
    • 69. How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx
    • 70. Explained: Windows Authentication in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff647076.aspx
  • References
    • Kerberos Authentication Tools and Settingshttp://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx
    • 71. How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx
    • 72. Spence Harbar’s Bloghttp://www.harbar.net
  • Q & A
  • 73. Appendix
  • 74.
    • Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT.
    • 75. Authentication is the process of proving your identity to a remote system.
    • 76. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.
    • 77. User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded.
    • 78. Service password is encrypted as the service key.
    • 79. KDCs are found through a DNS query. Service registered in DNS by DCs.
    • Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC
    • 80. Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted
    • 81. This is a Windows-centric Kerberos presentation
    • 82. Load balanced solutions need service account
    • 83. All web applications hosted using the same SPN have to be hosted with the same account
    • 84. Use A records, not CNAME records
    • Terms
    • 85. Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs.
    • 86. KDC security account database – In Windows, it is Active Directory
    • 87. Authorization Service (AS) – part of the KDC
    • 88. Ticket Granting Service (TGS) – part of the KDC
    • 89. Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
  • Tickets
    • Ticket Granting Ticket (TGT)
    • 90. A user's initial ticket from the authentication service
    • 91. Used to request service tickets
    • 92. Meant only for use by the ticket-granting service.
    • 93. Service ticket for the KDC (service class = krbtgt)
    • 94. Service Ticket
    • 95. Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
  • Tools
    • Troubleshooting
    • 105. Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re-entered.
    • 106. Remember that authenticators contain the current time. Check for time sync issues.
    • Request TGT (Remember there is even more complexity)
    User (client) logs into workstation entering their password.
    Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator.
    Client sends these three items to the KDC.
    KDC get user’s password from AD, decrypts time and verifies it is valid.
    AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  • 107.
    • Request TGT (Remember there is even more complexity)
    KDC sends both to the client.
    Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  • 108.
    • Access Service (Remember there is even more complexity)
    User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS.
    TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid.
    TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password.
    TGS sends service session key and the service ticket to the client.
  • 109.
    • Access Service (Remember there is even more complexity)
    Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator.
    Client sends ticket and authenticator to remote server which runs service.
    Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated
    (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client.
    Clients decrypts authenticator and validates time.
  • 110. Troubleshooting Tools
    • Patience – Test methodically and
    • 111. Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land.
    • 112. Always test from a different machine than the web server or domain controller!
    • 113. SetSPN
    • 114. Windows Security Logs
    • 115. Windows 2008 ADUC
    • 116. Kerbtray
    • 117. Netmon and Fiddler
    • 118. IIS Logs and IIS7 Failed Request Tracing
    • 119. Kerberos Logging
    • 120. Event Logging and/or Debug Logs
  • Common Issues that break Kerberos
    • Times are out of sync – authenticators contain current time
    • 121. Missing SPN
    • 122. Duplicate SPN
    • 123. SPN assigned to wrong service account
    • 124. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)
    • 125. IIS 7 – remember Kernel mode authentication and check settings
    • 126. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)
    • 127. IE and non-default ports