Kerberos is a computer network authentication protocol which works onthe basis of 'tickets' to allow nodes communicating over a non-secure
network to prove their identity to one another in a secure manner.[Wikipedia]
What is Kerberos?
www.sparkbit.pl
Basic information
Developed on Massachusetts Institute of Technology (MIT)Windows 2000 and later are using Kerberos as a defaultauthentication mechanism (although over Microsoft’s ownimplementation)Kerberos is built into Active Directory solutionUNIX-based operating systems have tools for authenticating overKerberosKerberos main use case is to provide SSO service in untrustednetworks
1
2
3
4
5
www.sparkbit.pl
Kerberos Realm
HTTP Service
Browser
Ticket Granting Server
Authentication Server
KDC CLIENTS KEY DISTRIBUTION CENTER
www.sparkbit.pl
The authentication process
Clientsends request
KDClookups the user
in its database
User IDRequested Service ID (TicketGranting Server in this case)Client network addressRequested lifetime of TGT
Plaintext Request
Ticket Granting Ticket
User IDTimestampClient network addressTGT lifetimeTicket Granting Server (TGS)Session Key
issued by Authentication Server, signedby
KDC's private key
www.sparkbit.pl
Successful authentication in Kerberos, leads to authorization.
Kerberos authorization part I
Lorem ipsum dolor sitamet, adipiscing elit,
sed diam nummy.
42 31
checks the Service IDin its database
decrypts TGT and if it'ssuccessful, Client isgranted access to
Service
issues a Service Ticket (signed by TGSsession key) which contains:
HTTP service IDTimestamp
Ticket lifetimeHTTP service session key
Client KDC KDC KDC
To be able to authorizewith a service, Client sendsthe Ticket Granting Ticketwith a Service ID to KDC
This is the moment when a trustbetween Client and Service is
established
www.sparkbit.pl
Kerberos authorization part II
ClientService
decrypts Service Ticket to check whether
Client is authorized to make requests
against this Service
encryptedServiceTicket
ServiceResponse
sends
returns this information
to Client
www.sparkbit.pl
Client uses cached Service Ticket
in all subsequent requests
as long as it is valid
Kerberos important notes
Target service does not have to talk to KDC during authorizationprocess
Authentication in Kerberos is ensured implicitly: importantinformation is sent encrypted and protocol will authorize Client ifthose messages can be decrypted
Passwords are never stored in clear text and are not sent over thenetwork
www.sparkbit.pl
Kerberos in HTTP - SPNEGO
Kerberos is designed for client/server environments
It's difficult to use pure Kerberos in web and thin client environments
SPNEGO was created to overcome this issue – a wrapper protocol overKerberos
www.sparkbit.pl
SPNEGO
www.sparkbit.pl
When a Client wants to access protected Service without proper authentication data, itgets rejected with a 401 unauthorised status code and with an additional header WWW-Authenticate: Negotiate which instructs Client to use SPNEGO authenticationClient then has to request a ticket from KDCNext, Client has to wrap the ticket in a SPNEGO envelope and send it in Authorizationheader to a web server requesting the same ServiceWeb server can unwrap SPNEGO envelope and use the ticket as user credentialsIf Service needs to access other Kerberos-protected resources to complete the call, itcan delegate the ticket sent by the Client to other requestsEach request to Kerberos-protected Service needs its own unique ticket. Reusingtickets is forbidden – Kerberos treats them as replay attacks.
SPNEGO
www.sparkbit.pl
HTTP GET/api/service
401 Unauthorized WWW-Authenticate: "Negotiate"
HTTP GET/api/service Authorization: "Negotiate XeH83HiJ"
{ result: "OK"}
Client Web Server
Kerberos limitation
www.sparkbit.pl
KDC is a single point of failure, though it can be mitigated by usingmultiple servers Kerberos has strict time limitations on difference between clocks on hoststaking part in the processKerberos cannot be used in scenarios where clients come from outside ofthe domain (typical Internet use case)Problematic creating staged environment: single-domain vs separatedomain for each environment
Summary
www.sparkbit.pl
Authentication protocol well suited for intranets in companies
Integrated in Active Directory on Windows servers
Complicated usage in HTTP world, need to use wrapper protocol likeSPNEGO