0
Kerberos Survival Guide<br />Presented by:<br />JD Wade<br />Senior SharePoint Consultant, MCTS, MCITP<br />Mail: jd.wade@...
Who is JD Wade?<br /><ul><li>SharePoint Consultant since 2007
Certified KnowledgeLake Partner
With Horizons since 2005
Member of SharePoint 2007 and 2010 TAP
Over 10 years of IT experience
Technical Editor for book SharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010
Loves anything related to sound
Probably has one of the driest senses of humor in the room</li></li></ul><li>Agenda<br /><ul><li>Overview
Logon Process
Accessing a Web Site
Troubleshooting Kerberos
Delegation</li></li></ul><li>Kerberos<br />Massachusetts Institute of Technology<br />
Details Out of Scope<br /><ul><li>Renewing tickets
Ticket expiration
Keys
Authenticator
TGT Structure
Service Ticket Structure
Encryption/Decryption
Multiple domains/forests</li></li></ul><li>
Dependencies<br />SPN<br />
Service Principal Name<br />Service Class<br />Host Name<br />Port<br />HTTP/website:80<br />
Service Classes allowed by host<br />alerter<br />http<br />policyagent<br />scm<br />appmgmt<br />ias<br />protectedstora...
Kerberos<br /><ul><li>Benefits
Delegated Authentication
Interoperability
More Efficient Authentication
Mutual Authentication
IIS – Chatty by default
IIS6 – See MS KB 917557
IIS7 – See MS KB 958473</li></li></ul><li>Logon Process<br />
KDC<br />
KDC<br />
KDC<br />SPN<br />
KDC<br />
Access Web Site<br />
401<br />
SPN<br />
<system.webServer>   <security>      <authentication>         <windowsAuthentication enabled="true" useAppPoolCredentials=...
TroubleshootingKerberos<br />
Tools<br /><ul><li>Knowledge
SetSPN
Windows Security Logs
Upcoming SlideShare
Loading in...5
×

Kerberos survival guide SPS Kansas City

1,696

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,696
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Kerberos survival guide SPS Kansas City"

  1. 1. Kerberos Survival Guide<br />Presented by:<br />JD Wade<br />Senior SharePoint Consultant, MCTS, MCITP<br />Mail: jd.wade@hrizns.com<br />Blog: http://wadingthrough.com<br />LinkedIn: JD Wade<br />Twitter: http://twitter.com/JDWade<br />
  2. 2. Who is JD Wade?<br /><ul><li>SharePoint Consultant since 2007
  3. 3. Certified KnowledgeLake Partner
  4. 4. With Horizons since 2005
  5. 5. Member of SharePoint 2007 and 2010 TAP
  6. 6. Over 10 years of IT experience
  7. 7. Technical Editor for book SharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010
  8. 8. Loves anything related to sound
  9. 9. Probably has one of the driest senses of humor in the room</li></li></ul><li>Agenda<br /><ul><li>Overview
  10. 10. Logon Process
  11. 11. Accessing a Web Site
  12. 12. Troubleshooting Kerberos
  13. 13. Delegation</li></li></ul><li>Kerberos<br />Massachusetts Institute of Technology<br />
  14. 14. Details Out of Scope<br /><ul><li>Renewing tickets
  15. 15. Ticket expiration
  16. 16. Keys
  17. 17. Authenticator
  18. 18. TGT Structure
  19. 19. Service Ticket Structure
  20. 20. Encryption/Decryption
  21. 21. Multiple domains/forests</li></li></ul><li>
  22. 22. Dependencies<br />SPN<br />
  23. 23.
  24. 24. Service Principal Name<br />Service Class<br />Host Name<br />Port<br />HTTP/website:80<br />
  25. 25. Service Classes allowed by host<br />alerter<br />http<br />policyagent<br />scm<br />appmgmt<br />ias<br />protectedstorage<br />seclogon<br />browser<br />iisad<br />rasman<br />snmp<br />cifs<br />min<br />remoteaccess<br />spooler<br />cisvc<br />messenger<br />replicator<br />Tapisrv<br /> <br /> <br />clipsrv<br />msiserver<br />rpc<br />time<br />dcom<br />mcsvc<br />rpclocator<br />trksvr<br />dhcp<br />netdde<br />rpcss<br />trkwks<br />dmserver<br />netddedsm<br />rsvp<br />ups<br />dns<br />netlogon<br />samss<br />w3svc<br />dnscache<br />netman<br />scardsvr<br />wins<br />eventlog<br />nmagent<br />scesrv<br />www<br />eventsystem<br />oakley<br />Schedule<br />fax<br />plugplay<br />
  26. 26. Kerberos<br /><ul><li>Benefits
  27. 27. Delegated Authentication
  28. 28. Interoperability
  29. 29. More Efficient Authentication
  30. 30. Mutual Authentication
  31. 31. IIS – Chatty by default
  32. 32. IIS6 – See MS KB 917557
  33. 33. IIS7 – See MS KB 958473</li></li></ul><li>Logon Process<br />
  34. 34. KDC<br />
  35. 35. KDC<br />
  36. 36. KDC<br />SPN<br />
  37. 37. KDC<br />
  38. 38. Access Web Site<br />
  39. 39. 401<br />
  40. 40. SPN<br />
  41. 41.
  42. 42. <system.webServer>   <security>      <authentication>         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />      </authentication>   </security></system.webServer><br />
  43. 43.
  44. 44. TroubleshootingKerberos<br />
  45. 45. Tools<br /><ul><li>Knowledge
  46. 46. SetSPN
  47. 47. Windows Security Logs
  48. 48. Windows 2008 ADUC or ADSIEdit
  49. 49. Kerbtray or Klist
  50. 50. Netmon and Fiddler
  51. 51. IIS Logs and IIS7 Failed Request Tracing
  52. 52. LDP
  53. 53. Kerberos Logging
  54. 54. Event Logging and/or Debug Logs</li></li></ul><li>Common Issues that break Kerberos<br /><ul><li>Times are out of sync – authenticators contain current time
  55. 55. Missing SPN
  56. 56. Duplicate SPN
  57. 57. SPN assigned to wrong service account
  58. 58. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)
  59. 59. IIS 7 – remember Kernel mode authentication and check settings
  60. 60. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)
  61. 61. IE and non-default ports</li></li></ul><li>Delegation<br />
  62. 62.
  63. 63.
  64. 64. FBA<br />Kerberos<br />
  65. 65.
  66. 66.
  67. 67. References<br /><ul><li>Ken Schaefer’s Multi-Part Kerberos Blog Posts:http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx
  68. 68. What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx
  69. 69. How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx
  70. 70. Explained: Windows Authentication in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff647076.aspx</li></li></ul><li>References<br /><ul><li>Kerberos Authentication Tools and Settingshttp://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx
  71. 71. How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx
  72. 72. Spence Harbar’s Bloghttp://www.harbar.net</li></li></ul><li>Q & A<br />
  73. 73. Appendix<br />
  74. 74. <ul><li>Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT.
  75. 75. Authentication is the process of proving your identity to a remote system.
  76. 76. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.
  77. 77. User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded.
  78. 78. Service password is encrypted as the service key.
  79. 79. KDCs are found through a DNS query. Service registered in DNS by DCs.</li></li></ul><li><ul><li>Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC
  80. 80. Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted
  81. 81. This is a Windows-centric Kerberos presentation
  82. 82. Load balanced solutions need service account
  83. 83. All web applications hosted using the same SPN have to be hosted with the same account
  84. 84. Use A records, not CNAME records</li></li></ul><li><ul><li>Terms
  85. 85. Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs.
  86. 86. KDC security account database – In Windows, it is Active Directory
  87. 87. Authorization Service (AS) – part of the KDC
  88. 88. Ticket Granting Service (TGS) – part of the KDC
  89. 89. Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.</li></li></ul><li>Tickets<br /><ul><li>Ticket Granting Ticket (TGT)
  90. 90. A user's initial ticket from the authentication service
  91. 91. Used to request service tickets
  92. 92. Meant only for use by the ticket-granting service.
  93. 93. Service ticket for the KDC (service class = krbtgt)
  94. 94. Service Ticket
  95. 95. Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.</li></li></ul><li>Tools<br /><ul><li>Knowledge
  96. 96. SetSPN
  97. 97. Windows Security Logs
  98. 98. Windows 2008 ADUC or ADSIEdit
  99. 99. Kerbtray or Klist
  100. 100. Netmon and Fiddler
  101. 101. IIS Logs and IIS7 Failed Request Tracing
  102. 102. LDP
  103. 103. Kerberos Logging
  104. 104. Event Logging and/or Debug Logs</li></li></ul><li><ul><li>Troubleshooting
  105. 105. Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re-entered.
  106. 106. Remember that authenticators contain the current time. Check for time sync issues.</li></li></ul><li><ul><li>Request TGT (Remember there is even more complexity)</li></ul>User (client) logs into workstation entering their password.<br />Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator.<br />Client sends these three items to the KDC.<br />KDC get user’s password from AD, decrypts time and verifies it is valid.<br />AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).<br />
  107. 107. <ul><li>Request TGT (Remember there is even more complexity)</li></ul>KDC sends both to the client.<br />Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.<br />
  108. 108. <ul><li>Access Service (Remember there is even more complexity)</li></ul>User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS.<br />TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. <br />TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password.<br />TGS sends service session key and the service ticket to the client.<br />
  109. 109. <ul><li>Access Service (Remember there is even more complexity)</li></ul>Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator.<br />Client sends ticket and authenticator to remote server which runs service. <br />Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated<br />(Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client.<br />Clients decrypts authenticator and validates time.<br />
  110. 110. Troubleshooting Tools<br /><ul><li>Patience – Test methodically and
  111. 111. Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land.
  112. 112. Always test from a different machine than the web server or domain controller!
  113. 113. SetSPN
  114. 114. Windows Security Logs
  115. 115. Windows 2008 ADUC
  116. 116. Kerbtray
  117. 117. Netmon and Fiddler
  118. 118. IIS Logs and IIS7 Failed Request Tracing
  119. 119. Kerberos Logging
  120. 120. Event Logging and/or Debug Logs</li></li></ul><li>Common Issues that break Kerberos<br /><ul><li>Times are out of sync – authenticators contain current time
  121. 121. Missing SPN
  122. 122. Duplicate SPN
  123. 123. SPN assigned to wrong service account
  124. 124. IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)
  125. 125. IIS 7 – remember Kernel mode authentication and check settings
  126. 126. Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)
  127. 127. IE and non-default ports</li>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×