1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.wordpress.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade

3. Logon Process

4. Accessing a Web Site

5. Troubleshooting

6. Kerberos Demos

9. Ticket expiration

10. Keys

11. Authenticator

12. TGT Structure

13. Service Ticket Structure

14. Encryption/Decryption

16. Dependencies SPN

18. Service Principal Name Service Class Host Name Port

19. Service Classes allowed by host alerter http policyagent scm appmgmt ias protectedstorage seclogon browser iisad rasman snmp cifs min remoteaccess spooler cisvc messenger replicator Tapisrv clipsrv msiserver rpc time dcom mcsvc rpclocator trksvr dhcp netdde rpcss trkwks dmserver netddedsm rsvp ups dns netlogon samss w3svc dnscache netman scardsvr wins eventlog nmagent scesrv www eventsystem oakley Schedule fax plugplay

21. Delegated Authentication

22. Interoperability

23. More Efficient Authentication

25. KDC AS

26. KDC AS

27. KDC TGS AS SPN

28. KDC TGS

29. Access Web Site

30. 401

31. SPN

33. <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security></system.webServer>

35. Troubleshooting

37. Demos

38. Delegation

40. FBA Kerberos

42. What Is Kerberos Authentication?http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx

43. How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx

45. How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0http://msdn.microsoft.com/en-us/library/ff649317.aspx

47. Appendix

49. Authentication is the process of proving your identity to a remote system.

50. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.

51. User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded.

52. Service password is encrypted as the service key.

54. Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted

55. This is a Windows-centric Kerberos presentation

56. Load balanced solutions need service account

57. All web applications hosted using the same SPN have to be hosted with the same account

59. Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs.

60. KDC security account database – In Windows, it is Active Directory

61. Authorization Service (AS) – part of the KDC

62. Ticket Granting Service (TGS) – part of the KDC

64. A user's initial ticket from the authentication service

65. Used to request service tickets

66. Meant only for use by the ticket-granting service.

67. Service ticket for the KDC (service class = krbtgt)

68. Service Ticket

70. SetSPN

71. Windows Security Logs

72. Windows 2008 ADUC or ADSIEdit

73. Kerbtray or Klist

74. Netmon and Fiddler

75. IIS Logs and IIS7 Failed Request Tracing

76. LDP

77. Kerberos Logging

79. Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re-entered.

81. Missing SPN

82. Duplicate SPN

83. SPN assigned to wrong service account

84. Times are out of sync

85. Client TGT expired (7 days)