SlideShare ist ein Scribd-Unternehmen logo

Kerberos survival guide

J.D. Wade
J.D. Wade
1 von 47
Downloaden Sie, um offline zu lesen
Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.wordpress.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade
Who is JD Wade? • SharePoint Consultant since 2007 • Certified KnowledgeLake Partner • With Horizons since 2005 • Member of SharePoint 2007 and 2010 TAP • Over 10 years of IT experience • Technical Editor for book SharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010 • Loves anything related to sound • Probably has one of the driest senses of humor in the room
Welcome to SharePoint Saturday – Columbus, OH Thank you for being a part of the First SharePoint Saturday in Columbus! • Please turn off all electronic devices or set them to vibrate. • If you must take a phone call, please do so in the hall so as not to disturb others. • Open wireless access is available • Feel free to “tweet and blog” during the session • Thanks to our Platinum Sponsors: HashTag: #SPSColumbus
Agenda •Overview •Logon Process •Accessing a Web Site •Troubleshooting •Kerberos Demos •Delegation and Demos
Kerberos Massachusetts Institute of Technology
Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
Dependencies
Service Principal Name Service Class Host Name Port
Service Classes allowed by host alerter clipsrv dnscache http msiserver netman policyagent rpc scardsvr scm time wins appmgmt dcom eventlog ias mcsvc nmagent protectedstorage rpclocator scesrv seclogon trksvr www browser dhcp eventsystem iisad netdde oakley rasman rpcss Schedule snmp trkwks fax cifs dmserver plugplay min netddedsm remoteaccess rsvp spooler ups cisvc dns messenger netlogon replicator samss Tapisrv w3svc
Kerberos •Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication
Logon Process
KDC
KDC
KDC SPN
KDC
Access Web Site
401
SPN
<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>
Troubleshooting
Demos
Delegation
FBA Kerberos
References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
Session Evaluation • Please complete and turn in your Session Evaluation Form so we can improve future events. • Presenter: – xxxxxxxxxxxxxxxxxxx • Session Name: – xxxxxxxxxxxxxxxxxxx HashTag: #SPSColumbus
Ongoing Activities • Remember to visit the Exhibit Hall – Visit Sponsor booths to be eligible for raffle prizes at the closing session! • Stop by the community table to find out about local activities and events in your area. • Make sure you stick around for the closing session to turn in your evaluation forms to be eligible for the raffles HashTag: #SPSColumbus
Thanks to our Sponsors HashTag: #SPSColumbus
Q&A
Appendix
•Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
•Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
•Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
Tools •Knowledge •SetSPN •Windows Security Logs •Windows 2008 ADUC or ADSIEdit •Kerbtray or Klist •Netmon and Fiddler •IIS Logs and IIS7 Failed Request Tracing •LDP •Kerberos Logging •Event Logging and/or Debug Logs
•Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
•Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
•Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
•Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
•Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
•Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.

Empfohlen

Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
J.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010
J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
J.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
J.D. Wade
 

Empfohlen

Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
J.D. Wade
 
Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010Kerberos survival guide - SPS Ozarks 2010
Kerberos survival guide - SPS Ozarks 2010
J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Kerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas CityKerberos survival guide SPS Kansas City
Kerberos survival guide SPS Kansas City
J.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
J.D. Wade
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Kerberos
KerberosKerberos
Kerberos
Dmytro Andriychenko
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
Chris Geier
 
Kerberos
KerberosKerberos
Kerberos
Sparkbit
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
MongoDB
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
Claudia Rosu
 
Kerberos
KerberosKerberos
Kerberos
AJINKYA PATIL
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Peter Selch Dahl
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6
Ben Abdallah Helmi
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
MongoDB
 
Kerberos
KerberosKerberos
Kerberos
Sudeep Shouche
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
Mayuri Patil
 
Kerberos
KerberosKerberos
Kerberos
Rahul Pundir
 
Using Kerberos
Using KerberosUsing Kerberos
Using Kerberos
anusachu .
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregation
Andrew Siemer
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos ppt
OECLIB Odisha Electronics Control Library
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)
Globus
 
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsSharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
J.D. Wade
 
SPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQLSPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQL
J.D. Wade
 

Weitere ähnliche Inhalte

Was ist angesagt?

SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
Chris Geier
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 

Was ist angesagt? (20)

SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Kerberos
KerberosKerberos
Kerberos
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
Kerberos
KerberosKerberos
Kerberos
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6SCWCD : Session management : CHAP : 6
SCWCD : Session management : CHAP : 6
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos case study
Kerberos case studyKerberos case study
Kerberos case study
 
Kerberos
KerberosKerberos
Kerberos
 
Using Kerberos
Using KerberosUsing Kerberos
Using Kerberos
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregation
 
Kerberos ppt
Kerberos pptKerberos ppt
Kerberos ppt
 
Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)Building Research Data Portals (GlobusWorld Tour - UMich)
Building Research Data Portals (GlobusWorld Tour - UMich)
 

Andere mochten auch

SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsSharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
J.D. Wade
 
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the FieldHorizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
J.D. Wade
 
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
J.D. Wade
 
What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013
J.D. Wade
 

Andere mochten auch (8)

SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little SecretsSharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
SharePoint Saturday Kansas City - SharePoint 2013's Dirty Little Secrets
 
SPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQLSPS Kansas City: What SharePoint Admin need to know about SQL
SPS Kansas City: What SharePoint Admin need to know about SQL
 
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the FieldHorizons' Event: SharePoint 2013 upgrades-Notes from the Field
Horizons' Event: SharePoint 2013 upgrades-Notes from the Field
 
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
What SQL DBAs need to know about SharePoint-Kansas City, Sept 2013
 
SharePoint 2010: Business Insights
SharePoint 2010: Business InsightsSharePoint 2010: Business Insights
SharePoint 2010: Business Insights
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BI
 
What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013What SQL DBAs need to know about SharePoint-Indianapolis 2013
What SQL DBAs need to know about SharePoint-Indianapolis 2013
 
What SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-CinncinatiWhat SharePoint Admins need to know about SQL-Cinncinati
What SharePoint Admins need to know about SQL-Cinncinati
 

Ähnlich wie Kerberos survival guide

Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
anchalaguna
 

Ähnlich wie Kerberos survival guide (20)

Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Deep Dive In To Kerberos
Deep Dive In To KerberosDeep Dive In To Kerberos
Deep Dive In To Kerberos
 
Null talk
Null talkNull talk
Null talk
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
 
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
Kerberos Authentication and SSO (Single Sign On) mechanism by Siavash Golchoo...
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Hyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep DiveHyperleger Composer Architecure Deep Dive
Hyperleger Composer Architecure Deep Dive
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
 
Kerberos
KerberosKerberos
Kerberos
 
kerb.ppt
kerb.pptkerb.ppt
kerb.ppt
 
Powering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon WorkspacesPowering Remote Developers with Amazon Workspaces
Powering Remote Developers with Amazon Workspaces
 
Kerberos Security in Distributed Systems
Kerberos Security in Distributed SystemsKerberos Security in Distributed Systems
Kerberos Security in Distributed Systems
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 

Mehr von J.D. Wade

SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the FieldSPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
J.D. Wade
 
What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013
J.D. Wade
 
What SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePointWhat SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePoint
J.D. Wade
 

Mehr von J.D. Wade (10)

Cloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users GroupCloud Security Fundamentals - St. Louis O365 Users Group
Cloud Security Fundamentals - St. Louis O365 Users Group
 
Connected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQLConnected at the hip for MS BI: SharePoint and SQL
Connected at the hip for MS BI: SharePoint and SQL
 
What SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePointWhat SQL DBA's need to know about SharePoint
What SQL DBA's need to know about SharePoint
 
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
SharePoint Saturday St. Louis 2014: What SharePoint Admins need to know about...
 
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the FieldSPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
SPS St. Louis: SharePoint 2013 upgrades: Notes from the Field
 
What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013What SQL DBA's need to know about SharePoint-St. Louis 2013
What SQL DBA's need to know about SharePoint-St. Louis 2013
 
What SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePointWhat SQL DBAs need to know about SharePoint
What SQL DBAs need to know about SharePoint
 
SharePoint 2010: Insights into BI
SharePoint 2010: Insights into BISharePoint 2010: Insights into BI
SharePoint 2010: Insights into BI
 
SharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro OverviewSharePoint 2010 IT Pro Overview
SharePoint 2010 IT Pro Overview
 
Internet And Facebook Safety
Internet And Facebook SafetyInternet And Facebook Safety
Internet And Facebook Safety
 

Kerberos survival guide

  • 1. Kerberos Survival Guide Presented by: JD Wade, SharePoint Consultant, MCITP Mail: jd.wade@hrizns.com Blog: http://wadingthrough.wordpress.com LinkedIn: JD Wade Twitter: http://twitter.com/JDWade
  • 2. Who is JD Wade? • SharePoint Consultant since 2007 • Certified KnowledgeLake Partner • With Horizons since 2005 • Member of SharePoint 2007 and 2010 TAP • Over 10 years of IT experience • Technical Editor for book SharePoint 2010 Disaster Recovery http://tinyurl.com/SPDRBook2010 • Loves anything related to sound • Probably has one of the driest senses of humor in the room
  • 3. Welcome to SharePoint Saturday – Columbus, OH Thank you for being a part of the First SharePoint Saturday in Columbus! • Please turn off all electronic devices or set them to vibrate. • If you must take a phone call, please do so in the hall so as not to disturb others. • Open wireless access is available • Feel free to “tweet and blog” during the session • Thanks to our Platinum Sponsors: HashTag: #SPSColumbus
  • 4. Agenda •Overview •Logon Process •Accessing a Web Site •Troubleshooting •Kerberos Demos •Delegation and Demos
  • 5. Kerberos Massachusetts Institute of Technology
  • 6. Details Out of Scope •Renewing tickets •Ticket expiration •Keys •Authenticator •TGT Structure •Service Ticket Structure •Encryption/Decryption •Multiple domains/forests
  • 7.
  • 9.
  • 10. Service Principal Name Service Class Host Name Port
  • 11. Service Classes allowed by host alerter clipsrv dnscache http msiserver netman policyagent rpc scardsvr scm time wins appmgmt dcom eventlog ias mcsvc nmagent protectedstorage rpclocator scesrv seclogon trksvr www browser dhcp eventsystem iisad netdde oakley rasman rpcss Schedule snmp trkwks fax cifs dmserver plugplay min netddedsm remoteaccess rsvp spooler ups cisvc dns messenger netlogon replicator samss Tapisrv w3svc
  • 12. Kerberos •Benefits •Delegated Authentication •Interoperability •More Efficient Authentication •Mutual Authentication
  • 14. KDC
  • 15. KDC
  • 17. KDC
  • 19. 401
  • 20. SPN
  • 21.
  • 22. <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>
  • 23.
  • 25.
  • 26. Demos
  • 28.
  • 29. FBA Kerberos
  • 30. References •Ken Schaefer’s Multi-Part Kerberos Blog Posts: http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10 /20/512.aspx •What Is Kerberos Authentication? http://technet.microsoft.com/en- us/library/cc780469%28WS.10%29.aspx •How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en- us/library/cc772815%28WS.10%29.aspx •Explained: Windows Authentication in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff647076.aspx
  • 31. References •Kerberos Authentication Tools and Settings http://technet.microsoft.com/en- us/library/cc738673%28WS.10%29.aspx •How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0 http://msdn.microsoft.com/en-us/library/ff649317.aspx •Spence Harbar’s Blog http://www.harbar.net
  • 32. Session Evaluation • Please complete and turn in your Session Evaluation Form so we can improve future events. • Presenter: – xxxxxxxxxxxxxxxxxxx • Session Name: – xxxxxxxxxxxxxxxxxxx HashTag: #SPSColumbus
  • 33. Ongoing Activities • Remember to visit the Exhibit Hall – Visit Sponsor booths to be eligible for raffle prizes at the closing session! • Stop by the community table to find out about local activities and events in your area. • Make sure you stick around for the closing session to turn in your evaluation forms to be eligible for the raffles HashTag: #SPSColumbus
  • 34. Thanks to our Sponsors HashTag: #SPSColumbus
  • 35. Q&A
  • 37. •Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT. •Authentication is the process of proving your identity to a remote system. • Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity. •User password is encrypted as the user key. User key is stored in credentials cache. Once the logon session key is received, the user key is discarded. •Service password is encrypted as the service key. •KDCs are found through a DNS query. Service registered in DNS by DCs.
  • 38. •Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember KDC •Another reason for simplification: encryption upon encryption upon encryption…just remember it is encrypted •This is a Windows-centric Kerberos presentation •Load balanced solutions need service account •All web applications hosted using the same SPN have to be hosted with the same account •Use A records, not CNAME records
  • 39. •Terms •Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs share a long term key across all DCs. •KDC security account database – In Windows, it is Active Directory •Authorization Service (AS) – part of the KDC •Ticket Granting Service (TGS) – part of the KDC •Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request service tickets, and meant only for use by the ticket granting service. Keeps the user from having to enter password each time a ticket is requested.
  • 40. Tickets •Ticket Granting Ticket (TGT) •A user's initial ticket from the authentication service •Used to request service tickets •Meant only for use by the ticket-granting service. •Service ticket for the KDC (service class = krbtgt) •Service Ticket •Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the target server or service.
  • 41. Tools •Knowledge •SetSPN •Windows Security Logs •Windows 2008 ADUC or ADSIEdit •Kerbtray or Klist •Netmon and Fiddler •IIS Logs and IIS7 Failed Request Tracing •LDP •Kerberos Logging •Event Logging and/or Debug Logs
  • 42. •Troubleshooting • Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long and then they expire (7 day default), then password has to be re- entered. • Remember that authenticators contain the current time. Check for time sync issues.
  • 43. •Common Issues • Missing SPN • Duplicate SPN • SPN assigned to wrong service account • Times are out of sync • Client TGT expired (7 days) • IE and non-default ports
  • 44. •Request TGT (Remember there is even more complexity) 1. User (client) logs into workstation entering their password. 2. Client builds an authentication service request containing the user’s username (KPN), the SPN of the TGS, and encrypts the current time using the user’s password as an authenticator. 3. Client sends these three items to the KDC. 4. KDC get user’s password from AD, decrypts time and verifies it is valid. 5. AS generates a logon session key and encrypts with the user’s password. AS generates a service ticket which contains a logon session key and the user’s KPN encrypted with the AS shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).
  • 45. •Request TGT (Remember there is even more complexity) 6. KDC sends both to the client. 7. Client decrypts logon session key using its password and stores the logon session key in cache. The client stores the TGT in cache.
  • 46. •Access Service (Remember there is even more complexity) 1. User (client) encrypts the current time using the logon session key in cache creating an authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN), and the TGT to the TGS. 2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session key is used to decrypt the authenticator and confirms the time is valid. 3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts the service session key using the logon session key. TGS uses server session key to generate service ticket and encrypts it using service’s password. 4. TGS sends service session key and the service ticket to the client.
  • 47. •Access Service (Remember there is even more complexity) 5. Client decrypts service session key using cached logon session key, adds current time (as well as other items), and encrypts with the service session key to create an authenticator. 6. Client sends ticket and authenticator to remote server which runs service. 7. Service decrypts service ticket accessing the server session key and the KPN. Using the service session key, the service decrypts the authenticator and confirms the current time is valid. A Windows access token is generated 8. (Optional) If client requests mutual authentication, service encrypts current time using the service session key creating an authenticator and sends to the client. 9. Clients decrypts authenticator and validates time.