1. Kerberos Survival Guide
Presented by:
JD Wade, SharePoint Consultant, MCITP
Mail: jd.wade@hrizns.com
Blog: http://wadingthrough.com
LinkedIn: JD Wade
Twitter: http://twitter.com/JDWade

2. Who is JD Wade?
• SharePoint Consultant since 2007
• Certified KnowledgeLake Partner
• With Horizons since 2005
• Member of SharePoint 2007 and 2010 TAP
• Over 10 years of IT experience
• Technical Editor for book SharePoint 2010
Disaster Recovery
http://tinyurl.com/SPDRBook2010
• Loves anything related to sound
• Probably has one of the driest senses of humor in
the room

4. Agenda
•Overview
•Logon Process
•Accessing a Web Site
•Troubleshooting Kerberos Demos
•Delegation and Demos

5. Kerberos
Massachusetts Institute of Technology

6. Details Out of Scope
•Renewing tickets
•Ticket expiration
•Keys
•Authenticator
•TGT Structure
•Service Ticket Structure
•Encryption/Decryption
•Multiple domains/forests

8. Dependencies

10. Service Principal Name
Service Class Host Name Port
HTTP/website:80

11. Service Classes allowed by host
alerter clipsrv dnscache
http msiserver netman
policyagent rpc scardsvr
scm time wins
appmgmt dcom eventlog
ias mcsvc nmagent
protectedstorage rpclocator scesrv
seclogon trksvr www
browser dhcp eventsystem
iisad netdde oakley
rasman rpcss Schedule
snmp trkwks fax
cifs dmserver plugplay
min netddedsm
remoteaccess rsvp
spooler ups
cisvc dns
messenger netlogon
replicator samss
Tapisrv w3svc

12. Kerberos
•Benefits
•Delegated Authentication
•Interoperability
•More Efficient Authentication
•Mutual Authentication

13. Logon Process

14. KDC

15. KDC

16. KDC
SPN

17. KDC

18. Access Web Site

19. 401

20. SPN

22. <system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
</authentication>
</security>
</system.webServer>

24. Troubleshooting
Kerberos Demos

25. Delegation

27. Demo

28. FBA Kerberos

29. Demo

30. References
•Ken Schaefer’s Multi-Part Kerberos Blog Posts:
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10
/20/512.aspx
•What Is Kerberos Authentication?
http://technet.microsoft.com/en-
us/library/cc780469%28WS.10%29.aspx
•How the Kerberos Version 5 Authentication Protocol
Works
http://technet.microsoft.com/en-
us/library/cc772815%28WS.10%29.aspx
•Explained: Windows Authentication in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647076.aspx

31. References
•Kerberos Authentication Tools and Settings
http://technet.microsoft.com/en-
us/library/cc738673%28WS.10%29.aspx
•How To: Use Protocol Transition and Constrained
Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff649317.aspx
•Spence Harbar’s Blog
http://www.harbar.net

33. Q&A

34. Appendix

35. •Kerberos is an open authentication protocol. Kerberos v5
was invented in 1993 at MIT.
•Authentication is the process of proving your identity to a
remote system.
• Your identity is who you are, and authentication is
the process of proving that. In many systems your
identity is your username, and you use a secret
shared between you and the remote system (a
password) to prove that your identity.
•User password is encrypted as the user key. User key is
stored in credentials cache. Once the logon session key is
received, the user key is discarded.
•Service password is encrypted as the service key.
•KDCs are found through a DNS query. Service registered
in DNS by DCs.

36. •Showing detail behind what is happening inside of KDC
but for day-to-day, use can just remember KDC
•Another reason for simplification: encryption upon
encryption upon encryption…just remember it is encrypted
•This is a Windows-centric Kerberos presentation
•Load balanced solutions need service account
•All web applications hosted using the same SPN have to
be hosted with the same account
•Use A records, not CNAME records

37. •Terms
•Key Distribution Center (KDC) – In Windows AD, KDC
lives on domain controllers (DC), KDCs share a long term
key across all DCs.
•KDC security account database – In Windows, it is Active
Directory
•Authorization Service (AS) – part of the KDC
•Ticket Granting Service (TGS) – part of the KDC
•Ticket Granting Ticket (TGT) - A user's initial ticket from
the authentication service, used to request service tickets,
and meant only for use by the ticket granting service.
Keeps the user from having to enter password each time a
ticket is requested.

38. Tickets
•Ticket Granting Ticket (TGT)
•A user's initial ticket from the authentication service
•Used to request service tickets
•Meant only for use by the ticket-granting service.
•Service ticket for the KDC (service class = krbtgt)
•Service Ticket
•Enables the ticket-granting service (TGS) to safely
transport the requester's credentials to the target
server or service.

39. Tools
•Knowledge
•SetSPN
•Windows Security Logs
•Windows 2008 ADUC or ADSIEdit
•Kerbtray or Klist
•Netmon and Fiddler
•IIS Logs and IIS7 Failed Request Tracing
•LDP
•Kerberos Logging
•Event Logging and/or Debug Logs

40. •Troubleshooting
• Have user logon and logoff if they don’t regularly:
TGTs are only renewable for so long and then they
expire (7 day default), then password has to be re-
entered.
• Remember that authenticators contain the current
time. Check for time sync issues.

41. •Common Issues
• Missing SPN
• Duplicate SPN
• SPN assigned to wrong service account
• Times are out of sync
• Client TGT expired (7 days)
• IE and non-default ports

42. •Request TGT (Remember there is even more complexity)
1. User (client) logs into workstation entering their
password.
2. Client builds an authentication service request
containing the user’s username (KPN), the SPN of the
TGS, and encrypts the current time using the user’s
password as an authenticator.
3. Client sends these three items to the KDC.
4. KDC get user’s password from AD, decrypts time and
verifies it is valid.
5. AS generates a logon session key and encrypts with
the user’s password. AS generates a service ticket
which contains a logon session key and the user’s KPN
encrypted with the AS shared key. This is a special
service ticket called a Ticket Granting Ticket (TGT).

43. •Request TGT (Remember there is even more complexity)
6. KDC sends both to the client.
7. Client decrypts logon session key using its password
and stores the logon session key in cache. The client
stores the TGT in cache.

44. •Access Service (Remember there is even more complexity)
1. User (client) encrypts the current time using the logon
session key in cache creating an authenticator and
sends the authenticator, the user’s KPN, the name of
the target service (SPN), and the TGT to the TGS.
2. TGS decrypts the TGT using its shared key to access
the logon session key. The logon session key is used to
decrypt the authenticator and confirms the time is valid.
3. TGS extracts the user’s KPN from the TGT. TGS
generates a service session key and encrypts the
service session key using the logon session key. TGS
uses server session key to generate service ticket and
encrypts it using service’s password.
4. TGS sends service session key and the service ticket
to the client.

45. •Access Service (Remember there is even more complexity)
5. Client decrypts service session key using cached logon
session key, adds current time (as well as other items),
and encrypts with the service session key to create an
authenticator.
6. Client sends ticket and authenticator to remote server
which runs service.
7. Service decrypts service ticket accessing the server
session key and the KPN. Using the service session
key, the service decrypts the authenticator and confirms
the current time is valid. A Windows access token is
generated
8. (Optional) If client requests mutual authentication,
service encrypts current time using the service session
key creating an authenticator and sends to the client.
9. Clients decrypts authenticator and validates time.

46. Troubleshooting Tools
• Patience – Test methodically and
• Knowledge - Know your Forests, Domains, Trusts,
Functional Levels…get a basic lay of the land.
• Always test from a different machine than the web
server or domain controller!
• SetSPN
• Windows Security Logs
• Windows 2008 ADUC
• Kerbtray
• Netmon and Fiddler
• IIS Logs and IIS7 Failed Request Tracing
• Kerberos Logging
• Event Logging and/or Debug Logs

47. Common Issues that break Kerberos
• Times are out of sync – authenticators contain
current time
• Missing SPN
• Duplicate SPN
• SPN assigned to wrong service account
• IIS Providers are incorrect (For IIS 5 or 6, see
http://support.microsoft.com/kb/215383)
• IIS 7 – remember Kernel mode authentication and
check settings
• Client TGT expired (7 days expiration – have user
logon and logoff, no reboot required)
• IE and non-default ports