Kerberos Survival Guide

Presented by:
JD Wade, SharePoint Consultant, MCITP
Mail: jd.wade@hrizns.com
Blog: http://wadingt...
Agenda
•Overview
•Logon Process
•Accessing a Web Site
•Keep in Mind
•Delegation
Kerberos

Massachusetts Institute of Technology
Details Out of Scope
•Renewing tickets
•Ticket expiration

•Keys
•Authenticator
•TGT Structure

•Service Ticket Structure
...
Dependencies
Service Principal Name

Service Class

Host Name

HTTP/website:80

Port
Service Classes allowed by host
alerter
http
policyagent
scm
appmgmt
ias
protectedstorage
seclogon
browser
iisad
rasman
sn...
Kerberos
•Benefits
•Delegated Authentication
•Interoperability
•More Efficient Authentication
•Mutual Authentication
Logon Process
KDC
KDC
KDC

SPN
KDC
Access Web Site
401
SPN
Keep In Mind
Classic

Claims
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
</aut...
Delegation
Delegation
Web

Srv1
Datamart

Srv2
Cubes

Srv3

Srv4
Web

Srv1
Datamart

Srv2
Cubes

Srv3

Srv4
Web

Srv1
Datamart

Srv2
Cubes

Srv3

Srv4
Web

Srv1
Datamart

Srv2
Cubes

Srv3

Srv4
Protocol Transition

FBA

Kerberos
• Uses Protocol Transition (Domain limited)
(Constrained Only)
• Excel Services
• Visio Services
• PerformancePoint
• Info...
References
•Ken Schaefer’s Multi-Part Kerberos Blog Posts:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10
/20/51...
References
•Kerberos Authentication Tools and Settings
http://technet.microsoft.com/enus/library/cc738673%28WS.10%29.aspx
...
Q&A
http://wadingthrough.com/presentations
http://www.hrizns.com
http://twitter.com/jdwade
Appendix
•Kerberos is an open authentication protocol. Kerberos v5
was invented in 1993 at MIT.
•Authentication is the process of p...
•Showing detail behind what is happening inside of KDC
but for day-to-day, use can just remember KDC
•Another reason for s...
•Terms
•Key Distribution Center (KDC) – In Windows AD, KDC
lives on domain controllers (DC), KDCs share a long term
key ac...
Tickets
•Ticket Granting Ticket (TGT)
•A user's initial ticket from the authentication service
•Used to request service ti...
Tools
•Knowledge
•SetSPN
•Windows Security Logs
•Windows 2008 ADUC or ADSIEdit
•Kerbtray or Klist
•Netmon and Fiddler
•IIS...
•Troubleshooting
• Have user logon and logoff if they don’t regularly:
TGTs are only renewable for so long and then they
e...
•Common Issues
• Missing SPN
• Duplicate SPN
• SPN assigned to wrong service account

• Times are out of sync
• Client TGT...
•Request TGT (Remember there is even more complexity)
1. User (client) logs into workstation entering their
password.
2. C...
•Request TGT (Remember there is even more complexity)
6. KDC sends both to the client.
7. Client decrypts logon session ke...
•Access Service (Remember there is even more complexity)
1. User (client) encrypts the current time using the logon
sessio...
•Access Service (Remember there is even more complexity)
5. Client decrypts service session key using cached logon
session...
Troubleshooting Tools
• Patience – Test methodically and
• Knowledge - Know your Forests, Domains, Trusts,
Functional Leve...
Common Issues that break Kerberos
• Times are out of sync – authenticators contain
current time
• Missing SPN
• Duplicate ...
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
Upcoming SlideShare
Loading in...5
×

SharePoint Saturday Kansas City - Kerberos Survival Guide

2,865

Published on

If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OK…in reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,865
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SharePoint Saturday Kansas City - Kerberos Survival Guide

  1. 1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade
  2. 2. Agenda •Overview •Logon Process •Accessing a Web Site •Keep in Mind •Delegation
  3. 3. Kerberos Massachusetts Institute of Technology
  4. 4. Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
  5. 5. Dependencies
  6. 6. Service Principal Name Service Class Host Name HTTP/website:80 Port
  7. 7. Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay
  8. 8. Kerberos •Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication
  9. 9. Logon Process
  10. 10. KDC
  11. 11. KDC
  12. 12. KDC SPN
  13. 13. KDC
  14. 14. Access Web Site
  15. 15. 401
  16. 16. SPN
  17. 17. Keep In Mind
  18. 18. Classic Claims
  19. 19. <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer> •IIS – Chatty by default •IIS6 – See MS KB 917557 •IIS7 – See MS KB 954873
  20. 20. Delegation
  21. 21. Delegation
  22. 22. Web Srv1 Datamart Srv2 Cubes Srv3 Srv4
  23. 23. Web Srv1 Datamart Srv2 Cubes Srv3 Srv4
  24. 24. Web Srv1 Datamart Srv2 Cubes Srv3 Srv4
  25. 25. Web Srv1 Datamart Srv2 Cubes Srv3 Srv4
  26. 26. Protocol Transition FBA Kerberos
  27. 27. • Uses Protocol Transition (Domain limited) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services • SQL SSRS 2012 • Access Service 2013 • Does NOT Use Protocol Transition (Forest limited) (Unconstrained or Constrained) • SQL Reporting Services 2008 R2 • BCS • Project Server • Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
  28. 28. References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/enus/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/enus/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
  29. 29. References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/enus/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
  30. 30. Q&A http://wadingthrough.com/presentations http://www.hrizns.com http://twitter.com/jdwade
  31. 31. Appendix
  32. 32. •Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
  33. 33. •Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
  34. 34. •Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
  35. 35. Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
  36. 36. Tools •Knowledge •SetSPN •Windows Security Logs •Windows 2008 ADUC or ADSIEdit •Kerbtray or Klist •Netmon and Fiddler •IIS Logs and IIS7 Failed Request Tracing •LDP •Kerberos Logging •Event Logging and/or Debug Logs
  37. 37. •Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be reentered. • Remember that authenticators contain the current time. Check for time sync issues.
  38. 38. •Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
  39. 39. •Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  40. 40. •Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  41. 41. •Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
  42. 42. •Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.
  43. 43. Troubleshooting Tools • Patience – Test methodically and • Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land. • Always test from a different machine than the web server or domain controller! • SetSPN • Windows Security Logs • Windows 2008 ADUC • Kerbtray • Netmon and Fiddler • IIS Logs and IIS7 Failed Request Tracing • Kerberos Logging • Event Logging and/or Debug Logs
  44. 44. Common Issues that break Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×