SlideShare a Scribd company logo

Kerberos survival guide-STL 2015

Download as PPTX, PDF
J.D. Wade
J.D. Wade

Learn the basics of Kerberos to improve your ability to support it for SharePoint

Technology
1 of 48
Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade
Agenda •Overview •Logon Process •Accessing a Web Site •Keep in Mind •Delegation •Tools •Resources
Kerberos Massachusetts Institute of Technology Client Server Trusted Third Party
Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
Client to server or server to server Windows = Kerberos V5 Safe on open networks Default authentication W2K+ domains Ticket
Dependencies O/S Time Service
Service Principal Name Service Class Host Name Port HTTP/website:80
Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay http://servername
Kerberos •Benefits •Delegated Authentication •Interoperability (non-Microsoft) •More Efficient Authentication •Mutual Authentication • Server to client • Client to server
Logon Process
KDC
KDC
KDC SPN host/workstationname
KDC
Access Web Site
401
SPN http/www.website.com
Keep In Mind
Classic Claims
•IIS – Chatty by default •IIS6 – See MS KB 917557 •IIS7/8 – See MS KB 954873
Delegation
Delegation
Srv1 Datamart Srv2 Cubes Srv3 Srv4 Web
Srv1 Datamart Srv2 Cubes Srv3 Srv4 Web
Srv1 Datamart Srv2 Cubes Srv3 Srv4 Web
FBA Kerberos Protocol Transition
Srv1 Datamart Srv2 Cubes Srv3 Srv4 Web
• Uses Protocol Transition (Forest/domain limited until Server 2012) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services • SQL SSRS 2012 • Access Service 2013 • Does NOT Use Protocol Transition (Forest limited until Server 2012) (Unconstrained or Constrained) • SQL Reporting Services 2008 R2 • BCS • Project Server • Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
•New PowerShell parameter •PrincipalsAllowedToDelegateToAccount •Constrained Delegation across forests and domains •Must have at least one W2K12 DC in all domains involved •SharePoint must be running on W2K12 servers •Backend server must be W2K3 or later •Must apply MS KB 2665790 to all W2K8 and W2K8 R2 DCs •Must not have W2K3 DCs • New KDC operational event log in W2K12 • Application and Services/Microsoft/Windows/Kerberos-Key-Distribution-Center/Operational •New Kerberos operational event log in W2K12 • Application and Services/Microsoft/Windows/Security-Kerberos/Operational •Performance counters added Windows 2012
•Kerberos Authentication Tester •http://blog.michelbarneveld.nl/media/p/33.aspx •KList •http://www.microsoft.com/download/en/details.aspx?id=11583 •Kerberos PowerShell Module •https://gallery.technet.microsoft.com/scriptcenter/Keberos-Module- 3a6ab12a •SharePoint Kerberos Buddy •DelegConfig v2 Tools
•Kerberos Survival Guide wiki page Named my session that title before the wiki page existed  •Kerberos for Microsoft BI wiki page •Microsoft BI Authentication and Identity Delegation paper •The Final Kerberos Guide for SharePoint Technicians Resources
Q & A http://wadingthrough.com/presentations http://www.hrizns.com http://twitter.com/jdwade
Appendix
References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
•Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
•Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
•Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
•Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
•Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
•Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
•Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
•Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.
Common Issues that break Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports

Recommended

Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityJ.D. Wade
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010J.D. Wade
 

Recommended

Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityJ.D. Wade
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010J.D. Wade
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsArunangshu Bhakta
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh rajDBNCOET
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Kerberos
KerberosKerberos
KerberosSparkbit
 
Cued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolCued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolIAEME Publication
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberosClaudia Rosu
 
Kerberos
KerberosKerberos
KerberosSudeep Shouche
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
Using Kerberos
Using KerberosUsing Kerberos
Using Kerberosanusachu .
 
Kerberos
KerberosKerberos
KerberosRahul Pundir
 
Kerberos
KerberosKerberos
KerberosAJINKYA PATIL
 
Kerberos (1)
Kerberos (1)Kerberos (1)
Kerberos (1)Ana Salas Elizondo
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

More Related Content

What's hot

Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsArunangshu Bhakta
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh rajDBNCOET
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Cued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolCued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolIAEME Publication
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case studyMayuri Patil
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
Using Kerberos
Using KerberosUsing Kerberos
Using Kerberosanusachu .
 

What's hot (19)

Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Kerberos
KerberosKerberos
Kerberos
 
Cued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocolCued click point image based kerberos authentication protocol
Cued click point image based kerberos authentication protocol
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Using Kerberos
Using KerberosUsing Kerberos
Using Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos (1)
Kerberos (1)Kerberos (1)
Kerberos (1)
 

Similar to Kerberos survival guide-STL 2015

Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1anchalaguna
 
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...Siavash Golchoobian
 
Technet.microsoft.com
Technet.microsoft.comTechnet.microsoft.com
Technet.microsoft.comKurt Kort
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3limsh
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
module1 network security.pdf
module1 network security.pdfmodule1 network security.pdf
module1 network security.pdfssuser47f7f2
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8Ashish Agrawal
 
kerb.ppt
kerb.pptkerb.ppt
kerb.pptJdQi
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsIRJET Journal
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos ProtocolNetwax Lab
 

Similar to Kerberos survival guide-STL 2015 (20)

Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
 
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
 
Technet.microsoft.com
Technet.microsoft.comTechnet.microsoft.com
Technet.microsoft.com
 
Kerberos Architecture.pptx
Kerberos Architecture.pptxKerberos Architecture.pptx
Kerberos Architecture.pptx
 
Null talk
Null talkNull talk
Null talk
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
kerberos
kerberoskerberos
kerberos
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
module1 network security.pdf
module1 network security.pdfmodule1 network security.pdf
module1 network security.pdf
 
Client certificate validation in windows 8
Client certificate validation in windows 8Client certificate validation in windows 8
Client certificate validation in windows 8
 
1165839977.pptx
1165839977.pptx1165839977.pptx
1165839977.pptx
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
 

More from J.D. Wade

Cloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users GroupCloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users GroupJ.D. Wade
 
What SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-CinncinatiWhat SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-CinncinatiJ.D. Wade
 
Connected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQLConnected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQLJ.D. Wade
 
What SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePointWhat SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePointJ.D. Wade
 
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...J.D. Wade
 
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the FieldSPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the FieldJ.D. Wade
 
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsSharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsJ.D. Wade
 
SPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQLSPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQLJ.D. Wade
 
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the FieldHorizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the FieldJ.D. Wade
 
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013J.D. Wade
 
What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013J.D. Wade
 
What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013J.D. Wade
 
What SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePointWhat SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePointJ.D. Wade
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BIJ.D. Wade
 
SharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro OverviewSharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro OverviewJ.D. Wade
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BIJ.D. Wade
 
SharePoint 2010: Business Insights
SharePoint 2010: Business InsightsSharePoint 2010: Business Insights
SharePoint 2010: Business InsightsJ.D. Wade
 
Internet And Facebook Safety
Internet And Facebook SafetyInternet And Facebook Safety
Internet And Facebook SafetyJ.D. Wade
 

More from J.D. Wade (18)

Cloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users GroupCloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users Group
 
What SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-CinncinatiWhat SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-Cinncinati
 
Connected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQLConnected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQL
 
What SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePointWhat SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePoint
 
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
 
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the FieldSPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
 
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsSharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
 
SPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQLSPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQL
 
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the FieldHorizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
 
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
 
What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013
 
What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013
 
What SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePointWhat SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePoint
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BI
 
SharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro OverviewSharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro Overview
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BI
 
SharePoint 2010: Business Insights
SharePoint 2010: Business InsightsSharePoint 2010: Business Insights
SharePoint 2010: Business Insights
 
Internet And Facebook Safety
Internet And Facebook SafetyInternet And Facebook Safety
Internet And Facebook Safety
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Kerberos survival guide-STL 2015

  • 1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade
  • 2. Agenda •Overview •Logon Process •Accessing a Web Site •Keep in Mind •Delegation •Tools •Resources
  • 3. Kerberos Massachusetts Institute of Technology Client Server Trusted Third Party
  • 4. Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
  • 5. Client to server or server to server Windows = Kerberos V5 Safe on open networks Default authentication W2K+ domains Ticket
  • 7. Service Principal Name Service Class Host Name Port HTTP/website:80
  • 8. Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay http://servername
  • 9. Kerberos •Benefits •Delegated Authentication •Interoperability (non-Microsoft) •More Efficient Authentication •Mutual Authentication • Server to client • Client to server
  • 11. KDC
  • 12. KDC
  • 14. KDC
  • 16. 401
  • 18.
  • 21. •IIS – Chatty by default •IIS6 – See MS KB 917557 •IIS7/8 – See MS KB 954873
  • 22.
  • 30.
  • 31. • Uses Protocol Transition (Forest/domain limited until Server 2012) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services • SQL SSRS 2012 • Access Service 2013 • Does NOT Use Protocol Transition (Forest limited until Server 2012) (Unconstrained or Constrained) • SQL Reporting Services 2008 R2 • BCS • Project Server • Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
  • 32. •New PowerShell parameter •PrincipalsAllowedToDelegateToAccount •Constrained Delegation across forests and domains •Must have at least one W2K12 DC in all domains involved •SharePoint must be running on W2K12 servers •Backend server must be W2K3 or later •Must apply MS KB 2665790 to all W2K8 and W2K8 R2 DCs •Must not have W2K3 DCs • New KDC operational event log in W2K12 • Application and Services/Microsoft/Windows/Kerberos-Key-Distribution-Center/Operational •New Kerberos operational event log in W2K12 • Application and Services/Microsoft/Windows/Security-Kerberos/Operational •Performance counters added Windows 2012
  • 33. •Kerberos Authentication Tester •http://blog.michelbarneveld.nl/media/p/33.aspx •KList •http://www.microsoft.com/download/en/details.aspx?id=11583 •Kerberos PowerShell Module •https://gallery.technet.microsoft.com/scriptcenter/Keberos-Module- 3a6ab12a •SharePoint Kerberos Buddy •DelegConfig v2 Tools
  • 34. •Kerberos Survival Guide wiki page Named my session that title before the wiki page existed  •Kerberos for Microsoft BI wiki page •Microsoft BI Authentication and Identity Delegation paper •The Final Kerberos Guide for SharePoint Technicians Resources
  • 37. References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
  • 38. References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
  • 39. •Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
  • 40. •Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
  • 41. •Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
  • 42. Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
  • 43. •Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
  • 44. •Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  • 45. •Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  • 46. •Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
  • 47. •Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.
  • 48. Common Issues that break Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports