J.D. Wade, profile picture
Uploaded byJ.D. Wade
PPTX, PDF706 views

SPS Ozarks 2012: Kerberos Survival Guide

This document provides an overview and agenda for a Kerberos survival guide presentation. The presentation will cover Kerberos logon process, accessing a web site using Kerberos, miscellaneous Kerberos information, and complex Kerberos configurations. It includes dependencies, service principal names (SPNs), and troubleshooting tools for Kerberos. The presentation aims to provide essential information about Kerberos without overcomplicating details.

Embed presentation

Downloaded 12 times
Kerberos Survival Guide Presented by: JD Wade, Senior SharePoint Consultant MCTS & MCITP: SharePoint 2010, Configuring Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade Horizons Consulting, Inc. http://www.hrizns.com
Agenda •Overview •Logon Process •Accessing a Web Site •Miscellaneous Information •The Really Complicated Stuff
Kerberos Massachusetts Institute of Technology
Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
Dependencies
Service Principal Name Service Class Host Name Port HTTP/website:80
Service Classes allowed by host alerter clipsrv dnscache http msiserver netman policyagent rpc scardsvr scm time wins appmgmt dcom eventlog ias mcsvc nmagent protectedstorage rpclocator scesrv seclogon trksvr www browser dhcp eventsystem iisad netdde oakley rasman rpcss Schedule snmp trkwks fax cifs dmserver plugplay min netddedsm remoteaccess rsvp spooler ups cisvc dns messenger netlogon replicator samss Tapisrv w3svc
Kerberos •Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication •Reasons to Use •Need Auditing at the Data Sources •Data Sources contain Row Level Security •Otherwise, DO NOT USE IT!
Logon Process
KDC
KDC
KDC SPN
KDC
Access Web Site
401
SPN
Miscellaneous Information
Kerberos •IIS – Chatty by default (make sure you do this!) •IIS6 – See MS KB 917557 •IIS7 – See MS KB 954873
<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>
Troubleshooting Tools •Knowledge •SetSPN •Windows 2008 ADUC or ADSIEdit •Windows Security Logs and IIS Logs •Klist •Netmon/Wireshark and Fiddler •IIS7 Failed Request Tracing •Kerberos Logging •Event Logging and/or Debug Logs
Why So Many Stupid Settings?
Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
For all of 2007 Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
FBA Kerberos
Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
For 2010 & 2013 • Uses Protocol Transition (Domain limited) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services • Does NOT Use Protocol Transition (Forest limited) (Unconstrained or Constrained) • SQL Reporting Services • BCS • Access Services • Project Server • Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
Q&A http://wadingthrough.com/presentations
References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
Housekeeping • Follow SharePoint Saturday Ozarks on Twitter @SPSOzarks hashtag #SPSOzarks • Stop by and thank our sponsors for making this event possible! • Fill out and turn in evaluation forms to be eligible for the end-of- day raffle. You must be present to win. • Don’t miss “This Modern Station” tonight at Waxy O’Shea’s! 38 | SharePoint Saturday St. Louis 2012
Thanks to Our Sponsors! Platinum
Thanks to Our Sponsors!
The End http://wadingthrough.com/presentations
Appendix
•Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
•Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
•Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
Tools •Knowledge •SetSPN •Windows Security Logs •Windows 2008 ADUC or ADSIEdit •Kerbtray or Klist •Netmon and Fiddler •IIS Logs and IIS7 Failed Request Tracing •LDP •Kerberos Logging •Event Logging and/or Debug Logs
•Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
•Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
•Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
•Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
•Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
•Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.
Troubleshooting Tools • Patience – Test methodically and • Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land. • Always test from a different machine than the web server or domain controller! • SetSPN • Windows Security Logs • Windows 2008 ADUC • Kerbtray • Netmon and Fiddler • IIS Logs and IIS7 Failed Request Tracing • Kerberos Logging • Event Logging and/or Debug Logs
Common Issues that break Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports

More Related Content

PPTX
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
PPTX
Kerberos survival guide-STL 2015
byJ.D. Wade
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
byJ.D. Wade
 
PPTX
Kerberos survival guide SPS Kansas City
byJ.D. Wade
 
PPTX
Kerberos Survival Guide SPS Chicago
byJ.D. Wade
 
PPTX
Rakesh raj
byDBNCOET
 
PPTX
Kerberos and its application in cross realm operations
byArunangshu Bhakta
 
PDF
Cued click point image based kerberos authentication protocol
byIAEME Publication
 
Kerberos Survival Guide: Columbus 2015
byJ.D. Wade
 
Kerberos survival guide-STL 2015
byJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
byJ.D. Wade
 
Kerberos survival guide SPS Kansas City
byJ.D. Wade
 
Kerberos Survival Guide SPS Chicago
byJ.D. Wade
 
Rakesh raj
byDBNCOET
 
Kerberos and its application in cross realm operations
byArunangshu Bhakta
 
Cued click point image based kerberos authentication protocol
byIAEME Publication
 

What's hot

PPTX
Kerberos
bySutanu Paul
 
PPTX
kerberos
bysameer farooq
 
PDF
Kerberos
bySparkbit
 
PPTX
Kerberos
byRafatSamreen
 
PPTX
Kerberos authentication
bySuraj Singh
 
RTF
Kerberos case study
byMayuri Patil
 
PDF
Kerberos presentation
byChris Geier
 
PPTX
Kerberos
byRahul Pundir
 
PPTX
Kerberos Authentication Protocol
byBibek Subedi
 
PPTX
Kerberos : An Authentication Application
byVidulatiwari
 
PDF
An Introduction to Kerberos
byShumon Huque
 
PPT
Ch15
byraja yasodhar
 
PPTX
Kerberos ppt
byOECLIB Odisha Electronics Control Library
 
PPT
SSO with kerberos
byClaudia Rosu
 
PPTX
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
PPTX
SharePoint Saturday Kansas City - Kerberos Survival Guide
byJ.D. Wade
 
PPTX
Kerberos survival guide - SPS Ozarks 2010
byJ.D. Wade
 
PPT
Using Kerberos
byanusachu .
 
PPTX
Kerberos
byAJINKYA PATIL
 
Kerberos
bySutanu Paul
 
kerberos
bysameer farooq
 
Kerberos
bySparkbit
 
Kerberos
byRafatSamreen
 
Kerberos authentication
bySuraj Singh
 
Kerberos case study
byMayuri Patil
 
Kerberos presentation
byChris Geier
 
Kerberos
byRahul Pundir
 
Kerberos Authentication Protocol
byBibek Subedi
 
Kerberos : An Authentication Application
byVidulatiwari
 
An Introduction to Kerberos
byShumon Huque
 
Ch15
byraja yasodhar
 
Kerberos ppt
byOECLIB Odisha Electronics Control Library
 
SSO with kerberos
byClaudia Rosu
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
byJ.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
byJ.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
byJ.D. Wade
 
Using Kerberos
byanusachu .
 
Kerberos
byAJINKYA PATIL
 

Similar to SPS Ozarks 2012: Kerberos Survival Guide

PPTX
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
PDF
Kerberos survival guide
byJ.D. Wade
 
PPTX
Information and network application and security 5.pptx
byHarshitkumar234696
 
PPTX
ins and network security with virtual unit 5.pptx
byHarshitkumar234696
 
PDF
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
PDF
Null talk
byAgam Jain
 
PPTX
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
PDF
In the Wake of Kerberoast
byken_kitahara
 
PPTX
All about Kerberos In Microsoft BI
byPARIKSHIT SAVJANI
 
PPTX
1. Kerberos is an auth protocol llllllllllllllllllllll
byMrVMNair
 
PPT
Kerberos
bySou Jana
 
PPT
Kerberos
byPrafull Johri
 
PPT
Gunaspresentation1
byanchalaguna
 
PDF
Kerberos Security in Distributed Systems
byIRJET Journal
 
PDF
Technet.microsoft.com
byKurt Kort
 
PDF
Presentation of Kerberos as per ECE scheme
byDeepanshuMidha5140
 
PDF
How to Secure Your Network with Kerberos Authentication | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
How to Secure Your Network with Kerberos Authentication | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PPT
Kerberos (1)
byAna Salas Elizondo
 
PPT
Kerberos: The Four Letter Word
byKenneth Maglio
 
Kerberos Survival Guide: SharePointalooza
byJ.D. Wade
 
Kerberos survival guide
byJ.D. Wade
 
Information and network application and security 5.pptx
byHarshitkumar234696
 
ins and network security with virtual unit 5.pptx
byHarshitkumar234696
 
Deep Dive In To Kerberos
byIshan A B Ambanwela
 
Null talk
byAgam Jain
 
[HUN][Hackersuli] Tickets Please - Kerberos
byhackersuli
 
In the Wake of Kerberoast
byken_kitahara
 
All about Kerberos In Microsoft BI
byPARIKSHIT SAVJANI
 
1. Kerberos is an auth protocol llllllllllllllllllllll
byMrVMNair
 
Kerberos
bySou Jana
 
Kerberos
byPrafull Johri
 
Gunaspresentation1
byanchalaguna
 
Kerberos Security in Distributed Systems
byIRJET Journal
 
Technet.microsoft.com
byKurt Kort
 
Presentation of Kerberos as per ECE scheme
byDeepanshuMidha5140
 
How to Secure Your Network with Kerberos Authentication | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
How to Secure Your Network with Kerberos Authentication | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
Kerberos (1)
byAna Salas Elizondo
 
Kerberos: The Four Letter Word
byKenneth Maglio
 

More from J.D. Wade

PPTX
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
byJ.D. Wade
 
PPTX
What SQL DBA's need to know about SharePoint
byJ.D. Wade
 
PPTX
What SharePoint Admins need to know about SQL-Cinncinati
byJ.D. Wade
 
PPTX
Internet And Facebook Safety
byJ.D. Wade
 
PPTX
Cloud Security Fundamentals - St. Louis O365 Users Group
byJ.D. Wade
 
PPTX
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
byJ.D. Wade
 
PPTX
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
byJ.D. Wade
 
PPTX
What SQL DBAs need to know about SharePoint
byJ.D. Wade
 
PPTX
What SQL DBAs need to know about SharePoint-Indianapolis 2013
byJ.D. Wade
 
PPTX
SPS Kansas City: What SharePoint Admin need to know about SQL
byJ.D. Wade
 
PPTX
Connected at the hip for MS BI: SharePoint and SQL
byJ.D. Wade
 
PPTX
SharePoint 2010 IT Pro Overview
byJ.D. Wade
 
PPTX
What SQL DBA's need to know about SharePoint-St. Louis 2013
byJ.D. Wade
 
PPT
SharePoint 2010: Business Insights
byJ.D. Wade
 
PPT
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
byJ.D. Wade
 
PPT
SharePoint 2010: Insights into BI
byJ.D. Wade
 
PPT
SharePoint 2010: Insights into BI
byJ.D. Wade
 
PPT
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
byJ.D. Wade
 
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
byJ.D. Wade
 
What SQL DBA's need to know about SharePoint
byJ.D. Wade
 
What SharePoint Admins need to know about SQL-Cinncinati
byJ.D. Wade
 
Internet And Facebook Safety
byJ.D. Wade
 
Cloud Security Fundamentals - St. Louis O365 Users Group
byJ.D. Wade
 
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
byJ.D. Wade
 
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
byJ.D. Wade
 
What SQL DBAs need to know about SharePoint
byJ.D. Wade
 
What SQL DBAs need to know about SharePoint-Indianapolis 2013
byJ.D. Wade
 
SPS Kansas City: What SharePoint Admin need to know about SQL
byJ.D. Wade
 
Connected at the hip for MS BI: SharePoint and SQL
byJ.D. Wade
 
SharePoint 2010 IT Pro Overview
byJ.D. Wade
 
What SQL DBA's need to know about SharePoint-St. Louis 2013
byJ.D. Wade
 
SharePoint 2010: Business Insights
byJ.D. Wade
 
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
byJ.D. Wade
 
SharePoint 2010: Insights into BI
byJ.D. Wade
 
SharePoint 2010: Insights into BI
byJ.D. Wade
 
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
byJ.D. Wade
 

Recently uploaded

PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
The year in review - MarvelClient in 2025
bypanagenda
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 

SPS Ozarks 2012: Kerberos Survival Guide

  • 1.
    Kerberos Survival Guide Presentedby: JD Wade, Senior SharePoint Consultant MCTS & MCITP: SharePoint 2010, Configuring Mail: jd.wade@hrizns.com Blog: http://wadingthrough.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade Horizons Consulting, Inc. http://www.hrizns.com
  • 2.
    Agenda •Overview •Logon Process •Accessing aWeb Site •Miscellaneous Information •The Really Complicated Stuff
  • 3.
    Kerberos Massachusetts Institute of Technology
  • 4.
    Details Out ofScope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
  • 6.
  • 8.
    Service Principal Name ServiceClass Host Name Port HTTP/website:80
  • 9.
    Service Classes allowedby host alerter clipsrv dnscache http msiserver netman policyagent rpc scardsvr scm time wins appmgmt dcom eventlog ias mcsvc nmagent protectedstorage rpclocator scesrv seclogon trksvr www browser dhcp eventsystem iisad netdde oakley rasman rpcss Schedule snmp trkwks fax cifs dmserver plugplay min netddedsm remoteaccess rsvp spooler ups cisvc dns messenger netlogon replicator samss Tapisrv w3svc
  • 10.
    Kerberos •Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication •Reasons to Use •Need Auditing at the Data Sources •Data Sources contain Row Level Security •Otherwise, DO NOT USE IT!
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 20.
  • 21.
    Kerberos •IIS – Chattyby default (make sure you do this!) •IIS6 – See MS KB 917557 •IIS7 – See MS KB 954873
  • 22.
    <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>
  • 24.
    Troubleshooting Tools •Knowledge •SetSPN •Windows 2008ADUC or ADSIEdit •Windows Security Logs and IIS Logs •Klist •Netmon/Wireshark and Fiddler •IIS7 Failed Request Tracing •Kerberos Logging •Event Logging and/or Debug Logs
  • 25.
  • 28.
    Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
  • 29.
    For all of2007 Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
  • 30.
    Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
  • 31.
    FBA Kerberos
  • 32.
    Web Srv1 Srv2 Srv3 Srv4 Datamart Cubes
  • 34.
    For 2010 &2013 • Uses Protocol Transition (Domain limited) (Constrained Only) • Excel Services • Visio Services • PerformancePoint • InfoPath Form Services • Does NOT Use Protocol Transition (Forest limited) (Unconstrained or Constrained) • SQL Reporting Services • BCS • Access Services • Project Server • Doesn’t usually require Kerberos • PowerPivot for SharePoint Server
  • 35.
  • 36.
    References •Ken Schaefer’s Multi-PartKerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
  • 37.
    References •Kerberos Authentication Toolsand Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
  • 38.
    Housekeeping • Follow SharePointSaturday Ozarks on Twitter @SPSOzarks hashtag #SPSOzarks • Stop by and thank our sponsors for making this event possible! • Fill out and turn in evaluation forms to be eligible for the end-of- day raffle. You must be present to win. • Don’t miss “This Modern Station” tonight at Waxy O’Shea’s! 38 | SharePoint Saturday St. Louis 2012
  • 39.
    Thanks to Our Sponsors! Platinum
  • 40.
    Thanks to Our Sponsors!
  • 41.
  • 42.
  • 43.
    •Kerberos is anopen authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
  • 44.
    •Showing detail behindwhat is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
  • 45.
    •Terms •Key Distribution Center(KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
  • 46.
    Tickets •Ticket Granting Ticket(TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
  • 47.
    Tools •Knowledge •SetSPN •Windows Security Logs •Windows2008 ADUC or ADSIEdit •Kerbtray or Klist •Netmon and Fiddler •IIS Logs and IIS7 Failed Request Tracing •LDP •Kerberos Logging •Event Logging and/or Debug Logs
  • 48.
    •Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
  • 49.
    •Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
  • 50.
    •Request TGT (Rememberthere is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  • 51.
    •Request TGT (Rememberthere is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  • 52.
    •Access Service (Rememberthere is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
  • 53.
    •Access Service (Rememberthere is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.
  • 54.
    Troubleshooting Tools • Patience– Test methodically and • Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land. • Always test from a different machine than the web server or domain controller! • SetSPN • Windows Security Logs • Windows 2008 ADUC • Kerbtray • Netmon and Fiddler • IIS Logs and IIS7 Failed Request Tracing • Kerberos Logging • Event Logging and/or Debug Logs
  • 55.
    Common Issues thatbreak Kerberos • Times are out of sync – authenticators contain current time • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383) • IIS 7 – remember Kernel mode authentication and check settings • Client TGT expired (7 days expiration – have user logon and logoff, no reboot required) • IE and non-default ports