This document provides an overview of Kerberos authentication, including: - Kerberos was developed at MIT and adopted as the default authentication protocol in Windows 2000. - It provides mutual authentication between a client and server based on tickets containing encrypted client credentials. - The Kerberos Key Distribution Center (KDC) issues encryption keys to authenticate entities using a shared master key.

1. Kerberos Introduction
Kerberos in Greek mythology was the
three-headed dog guarding the gates
to the underworld
Kerberos was developed as part of
MITs Athena project and taken on
board as the default authentication
protocol by MS in Windows 2000.
All flavours of Kerberos provide
authentication however the MS
implementation does provide
extensions for authorization.

2. So what does that mean?
Provides a mechanism
for authentication Based on Tickets
THE default
Based on a trusted and containing client
authentication protocol
third party model mutual authentication credentials encrypted
for AD.
between a client and a with Shared keys.
server

4. Authentication Interoperability
Impersonation
Increased authentication efficiencies
(Its just faster)
Mutual authentication
(It can verify you and you can verify it)
Protocol Transition
(first NTLM then Kerberos)
Constrained Delegation
(Impersonation with Rules)
Smartcards

6. The KDC
• KDC trusted 3rd party, provides scalability
• KDC made up of 2 sub services
•(AS) Authentication Service,
•(TGS) Ticket Granting Service
•The KDC holds a copy of each entities Master
Key (Symmetric Crypto)
•The KDC issues the Keys, encrypted with the
Master Key to each entity

8. WWW.K2.COM
SPNs
Service DNS Entry FQDN Service Account SPNs
Blackpearl k2server.k2.com K2K2serviceaccount K2server/ k2server.k2.com:5252
Server K2server/k2server:5252
K2HostServer/
k2server.k2.com:5555
K2HostServer/ k2server:5555
Blackpearl k2wks.k2.com K2K2workspaceaccount HTTP/k2wks.k2.com
Web HTTP/k2wks
Components
SSRS 2005 ssrs.k2.com K2SSRSserviceaccount HTTP/ssrs
HTTP/ssrs.k2.com
Web App SharePoint.k2.com K2MOSSserviceaccount HTTP/SharePoint
HTTP/SharePoint.k2.com
SQL Server K2sql.k2.com K2SQLserviceaccount MSSQLSvc/k2sql:1433
MSSQLSvc/k2sql.k2.com:1433

10. Delegation
•Windows 2000 the users TGT is passed to the
service to facilitate delegation
•Windows 2003 the service ticket can be used to
request a new ticket
•Windows 2000 allowed only for non constrained
delegation model
•Windows 2003 introduced constrained delegation, this
prevents user delegation to any system
•Constrained delegation is only available when
running 2003 native!
•To check attribute on AD account holding the
delegate to SPNs
• “msDS-AllowedToDelegateTo” (see Adsiedit.msc)

13. WITHOUT KERBEROS
WWW.K2.COM
NTLM (Anonymous)
K2 CONFIDENTIAL

14. WWW.K2.COM
Kerberos
Integrated
SQL
Kerberos
Kerberos
K2 CONFIDENTIAL

16. 1. Plan
2. Understand all the services in play and how they will talk
amongst each other
3. Get service accounts for each service (best practice
should be 1 per a service!)
4. Get machine A NAME records and any Host Headers in
IIS (Use A NAME records and avoid port numbers in
HTTP requests)
5. Generate required SPNs (Script?)
6. Enable user accounts for delegation
7. Determine the Delegation
8. Is PT required?

26. system.webServer/security/authentication/Windows-Authentication
<windowsAuthentication enabled="true" useKernelMode="true"
useAppPoolCredentials="true" />

28. MSSQLSvc/FQDN:[port | instancename],
MSSQLSvc/FQDN:port | MSSQLSvc/FQDN

30. Troubleshooting
Network
Auditing Logging Debug
Tracing

31. Auditing
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlL
saKerberosParameters
-“LogLevel” DWORD value of 1
-For Temporary use only

32. Logging
-“LogToFile” DWORD value 1,
-log to file “C:WindowsSystem32lsass.log”

33. Debug
-“KerbDebugLevel”
-DWORD value c0000043 (this value will print the
most standard set of debug messages. Try it first. If
you still want to see more output, set it to ffffffff).

34. Some common Kerberos failure codes
0x6 •KDC_ERR_C_PRINCIPAL_UNKNOWN
•STATUS_NO_SUCH_USER
0x7 •KDC_ERR_S_PRINCIPAL_UNKNOWN
•Server not found in Kerberos database
0x8 •- KDC_ERR_PRINCIPAL_NOT_UNIQUE
•Multiple principal entries in database
0x17 •KDC_ERR_KEY_EXPIRED
•Password has expired – change password to reset
0x25 •KRB_AP_ERR_SKEW
•Clock skew too great
0x34 •KRB_ERR_RESPONSE _TOO_BIG
•Response too big for UDP, retry with TCP

35. Troubleshooting
-Use the Windows security log, look for 540
events showing you the protocol used and any
transited services
-Check for duplicate SPNs
-Check SPN Syntax
-Check Delegation Settings
-ADSI is your friend

39. Multiforest
-Kerberos since 2003 is supported across
forests via the use of forest level trust
introduced in Windows 2003
-Delegation across forests is not supported
-FQDNs required to resolve across forests
-Root hints used to find target KDC

40. http://technet.microsoft.com/en-us/library/bb742516.aspx