Kerberos Survival GuidePresented by:JD Wade, Senior SharePoint ConsultantMCTS & MCITP: SharePoint 2010, ConfiguringMail: j...
Agenda•Overview•Logon Process•Accessing a Web Site•Miscellaneous Information•The Really Complicated Stuff
Kerberos           Massachusetts Institute of Technology
Details Out of Scope•Renewing tickets•Ticket expiration•Keys•Authenticator•TGT Structure•Service Ticket Structure•Encrypti...
Dependencies
Service Principal NameService Class   Host Name   Port          HTTP/website:80
Service Classes allowed by hostalerter            clipsrv      dnscachehttp               msiserver    netmanpolicyagent  ...
Kerberos•Benefits    •Delegated Authentication    •Interoperability    •More Efficient Authentication    •Mutual Authentic...
Logon Process
KDC
KDC
KDCSPN
KDC
Access Web Site
401
SPN
Miscellaneous Information
Kerberos•IIS – Chatty by default (make sure you do this!)    •IIS6 – See MS KB 917557    •IIS7 – See MS KB 954873
<system.webServer>   <security>      <authentication>         <windowsAuthentication enabled="true" useAppPoolCredentials=...
Troubleshooting Tools•Knowledge•SetSPN•Windows 2008 ADUC or ADSIEdit•Windows Security Logs and IIS Logs•Klist•Netmon/Wires...
Why So ManyStupid Settings?
Web  Srv1      Srv2     Srv3   Srv4Datamart   Cubes
For all of 2007               Web  Srv1      Srv2     Srv3   Srv4Datamart   Cubes
Web  Srv1      Srv2     Srv3   Srv4Datamart   Cubes
FBA   Kerberos
Web  Srv1      Srv2     Srv3   Srv4Datamart   Cubes
For 2010 & 2013• Uses Protocol Transition (Domain limited)   (Constrained Only)     • Excel Services     • Visio Services ...
Q&Ahttp://wadingthrough.com/presentations
References•Ken Schaefer’s Multi-Part Kerberos Blog Posts:http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.a...
References•Kerberos Authentication Tools and Settingshttp://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx•H...
Housekeeping• Follow SharePoint Saturday  Ozarks on Twitter @SPSOzarks  hashtag #SPSOzarks• Stop by and thank our sponsors...
Thanks to Our  Sponsors!     Platinum
Thanks to Our  Sponsors!
The Endhttp://wadingthrough.com/presentations
Appendix
•Kerberos is an open authentication protocol. Kerberos v5was invented in 1993 at MIT.•Authentication is the process of pro...
•Showing detail behind what is happening inside of KDCbut for day-to-day, use can just remember KDC•Another reason for sim...
•Terms•Key Distribution Center (KDC) – In Windows AD, KDClives on domain controllers (DC), KDCs share a long termkey acros...
Tickets•Ticket Granting Ticket (TGT)    •A users initial ticket from the authentication service    •Used to request servic...
Tools•Knowledge•SetSPN•Windows Security Logs•Windows 2008 ADUC or ADSIEdit•Kerbtray or Klist•Netmon and Fiddler•IIS Logs a...
•Troubleshooting    • Have user logon and logoff if they don’t regularly:      TGTs are only renewable for so long and the...
•Common Issues   • Missing SPN   • Duplicate SPN   • SPN assigned to wrong service account   • Times are out of sync   • C...
•Request TGT (Remember there is even more complexity)1. User (client) logs into workstation entering their   password.2. C...
•Request TGT (Remember there is even more complexity)6. KDC sends both to the client.7. Client decrypts logon session key ...
•Access Service (Remember there is even more complexity)1. User (client) encrypts the current time using the logon   sessi...
•Access Service (Remember there is even more complexity)5. Client decrypts service session key using cached logon   sessio...
Troubleshooting Tools• Patience – Test methodically and• Knowledge - Know your Forests, Domains, Trusts,  Functional Level...
Common Issues that break Kerberos    • Times are out of sync – authenticators contain      current time    • Missing SPN  ...
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
Upcoming SlideShare
Loading in...5
×

SPS Ozarks 2012: Kerberos Survival Guide

649

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
649
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "SPS Ozarks 2012: Kerberos Survival Guide"

  1. 1. Kerberos Survival GuidePresented by:JD Wade, Senior SharePoint ConsultantMCTS & MCITP: SharePoint 2010, ConfiguringMail: jd.wade@hrizns.comBlog: http://wadingthrough.comLinkedIn: JD WadeTwitter: http://twitter.com/JDWadeHorizons Consulting, Inc.http://www.hrizns.com
  2. 2. Agenda•Overview•Logon Process•Accessing a Web Site•Miscellaneous Information•The Really Complicated Stuff
  3. 3. Kerberos Massachusetts Institute of Technology
  4. 4. Details Out of Scope•Renewing tickets•Ticket expiration•Keys•Authenticator•TGT Structure•Service Ticket Structure•Encryption/Decryption•Multiple domains/forests
  5. 5. Dependencies
  6. 6. Service Principal NameService Class Host Name Port HTTP/website:80
  7. 7. Service Classes allowed by hostalerter clipsrv dnscachehttp msiserver netmanpolicyagent rpc scardsvrscm time winsappmgmt dcom eventlogias mcsvc nmagentprotectedstorage rpclocator scesrvseclogon trksvr wwwbrowser dhcp eventsystemiisad netdde oakleyrasman rpcss Schedulesnmp trkwks faxcifs dmserver plugplaymin netddedsmremoteaccess rsvpspooler upscisvc dnsmessenger netlogonreplicator samssTapisrv w3svc
  8. 8. Kerberos•Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication•Reasons to Use •Need Auditing at the Data Sources •Data Sources contain Row Level Security •Otherwise, DO NOT USE IT!
  9. 9. Logon Process
  10. 10. KDC
  11. 11. KDC
  12. 12. KDCSPN
  13. 13. KDC
  14. 14. Access Web Site
  15. 15. 401
  16. 16. SPN
  17. 17. Miscellaneous Information
  18. 18. Kerberos•IIS – Chatty by default (make sure you do this!) •IIS6 – See MS KB 917557 •IIS7 – See MS KB 954873
  19. 19. <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security></system.webServer>
  20. 20. Troubleshooting Tools•Knowledge•SetSPN•Windows 2008 ADUC or ADSIEdit•Windows Security Logs and IIS Logs•Klist•Netmon/Wireshark and Fiddler•IIS7 Failed Request Tracing•Kerberos Logging •Event Logging and/or Debug Logs
  21. 21. Why So ManyStupid Settings?
  22. 22. Web Srv1 Srv2 Srv3 Srv4Datamart Cubes
  23. 23. For all of 2007 Web Srv1 Srv2 Srv3 Srv4Datamart Cubes
  24. 24. Web Srv1 Srv2 Srv3 Srv4Datamart Cubes
  25. 25. FBA Kerberos
  26. 26. Web Srv1 Srv2 Srv3 Srv4Datamart Cubes
  27. 27. For 2010 & 2013• Uses Protocol Transition (Domain limited) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services• Does NOT Use Protocol Transition (Forest limited) (Unconstrained or Constrained) • SQL Reporting Services • BCS • Access Services • Project Server• Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
  28. 28. Q&Ahttp://wadingthrough.com/presentations
  29. 29. References•Ken Schaefer’s Multi-Part Kerberos Blog Posts:http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx•What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx•How the Kerberos Version 5 Authentication ProtocolWorkshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx•Explained: Windows Authentication in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff647076.aspx
  30. 30. References•Kerberos Authentication Tools and Settingshttp://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx•How To: Use Protocol Transition and ConstrainedDelegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx•Spence Harbar’s Bloghttp://www.harbar.net
  31. 31. Housekeeping• Follow SharePoint Saturday Ozarks on Twitter @SPSOzarks hashtag #SPSOzarks• Stop by and thank our sponsors for making this event possible!• Fill out and turn in evaluation forms to be eligible for the end-of- day raffle. You must be present to win.• Don’t miss “This Modern Station” tonight at Waxy O’Shea’s! 38 | SharePoint Saturday St. Louis 2012
  32. 32. Thanks to Our Sponsors! Platinum
  33. 33. Thanks to Our Sponsors!
  34. 34. The Endhttp://wadingthrough.com/presentations
  35. 35. Appendix
  36. 36. •Kerberos is an open authentication protocol. Kerberos v5was invented in 1993 at MIT.•Authentication is the process of proving your identity to aremote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.•User password is encrypted as the user key. User key isstored in credentials cache. Once the logon session key isreceived, the user key is discarded.•Service password is encrypted as the service key.•KDCs are found through a DNS query. Service registeredin DNS by DCs.
  37. 37. •Showing detail behind what is happening inside of KDCbut for day-to-day, use can just remember KDC•Another reason for simplification: encryption uponencryption upon encryption…just remember it is encrypted•This is a Windows-centric Kerberos presentation•Load balanced solutions need service account•All web applications hosted using the same SPN have tobe hosted with the same account•Use A records, not CNAME records
  38. 38. •Terms•Key Distribution Center (KDC) – In Windows AD, KDClives on domain controllers (DC), KDCs share a long termkey across all DCs.•KDC security account database – In Windows, it is ActiveDirectory•Authorization Service (AS) – part of the KDC•Ticket Granting Service (TGS) – part of the KDC•Ticket Granting Ticket (TGT) - A users initial ticket fromthe authentication service, used to request service tickets,and meant only for use by the ticket granting service.Keeps the user from having to enter password each time aticket is requested.
  39. 39. Tickets•Ticket Granting Ticket (TGT) •A users initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt)•Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requesters credentials to the target server or service.
  40. 40. Tools•Knowledge•SetSPN•Windows Security Logs•Windows 2008 ADUC or ADSIEdit•Kerbtray or Klist•Netmon and Fiddler•IIS Logs and IIS7 Failed Request Tracing•LDP•Kerberos Logging •Event Logging and/or Debug Logs
  41. 41. •Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
  42. 42. •Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
  43. 43. •Request TGT (Remember there is even more complexity)1. User (client) logs into workstation entering their password.2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator.3. Client sends these three items to the KDC.4. KDC get user’s password from AD, decrypts time and verifies it is valid.5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  44. 44. •Request TGT (Remember there is even more complexity)6. KDC sends both to the client.7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  45. 45. •Access Service (Remember there is even more complexity)1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS.2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid.3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password.4. TGS sends service session key and the service ticket to the client.
  46. 46. •Access Service (Remember there is even more complexity)5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator.6. Client sends ticket and authenticator to remote server which runs service.7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client.9. Clients decrypts authenticator and validates time.
  47. 47. Troubleshooting Tools• Patience – Test methodically and• Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land.• Always test from a different machine than the web server or domain controller!• SetSPN• Windows Security Logs• Windows 2008 ADUC• Kerbtray• Netmon and Fiddler• IIS Logs and IIS7 Failed Request Tracing• Kerberos Logging • Event Logging and/or Debug Logs
  48. 48. Common Issues that break Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×