SPS Ozarks 2012: Kerberos Survival Guide

Kerberos Survival Guide

Presented by:

JD Wade, Senior SharePoint Consultant

MCTS & MCITP: SharePoint 2010, Configuring

Mail: [email protected]

Blog: http://wadingthrough.com

LinkedIn: JD Wade

Twitter: http://twitter.com/JDWade

Horizons Consulting, Inc.

http://www.hrizns.com

Agenda

•Overview

•Logon Process

•Accessing a Web Site

•Miscellaneous Information

•The Really Complicated Stuff

Kerberos

Massachusetts Institute of Technology

Details Out of Scope

• Renewing tickets

• Ticket expiration

• Keys

• Authenticator

• TGT Structure

• Service Ticket Structure

• Encryption/Decryption

• Multiple domains/forests

Dependencies

SPN

Service Principal Name

Service Class Host Name Port

HTTP/website:80

Service Classes allowed by host

alerter

http

policyagent

scm

appmgmt

ias

protectedstorage

seclogon

browser

iisad

rasman

snmp

cifs

min

remoteaccess

spooler

cisvc

messenger

replicator

Tapisrv

clipsrv

msiserver

rpc

time

dcom

mcsvc

rpclocator

trksvr

dhcp

netdde

rpcss

trkwks

dmserver

netddedsm

rsvp

ups

dns

netlogon

samss

w3svc

dnscache

netman

scardsvr

wins

eventlog

nmagent

scesrv

www

eventsystem

oakley

Schedule

fax

plugplay

Kerberos• Benefits

• Delegated Authentication

• Interoperability

• More Efficient Authentication

• Mutual Authentication

• Reasons to Use

• Need Auditing at the Data Sources

• Data Sources contain Row Level Security

• Otherwise, DO NOT USE IT!

Logon Process

KDC

KDC

KDC

SPN

KDC

Access Web Site

401

SPN

Miscellaneous Information

Kerberos• IIS – Chatty by default (make sure you do this!)

• IIS6 – See MS KB 917557

• IIS7 – See MS KB 954873

<system.webServer>

   <security>

      <authentication>

         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />

      </authentication>

   </security>

</system.webServer>

Troubleshooting Tools• Knowledge

• SetSPN

• Windows 2008 ADUC or ADSIEdit

• Windows Security Logs and IIS Logs

• Klist

• Netmon/Wireshark and Fiddler

• IIS7 Failed Request Tracing

• Kerberos Logging

• Event Logging and/or Debug Logs

Why So Many Stupid

Settings?

Srv1

Datamart

Srv2

Cubes

Srv3 Srv4

Web

Srv1

Datamart

Srv2

Cubes

Srv3 Srv4

Web

For all of 2007

Srv1

Datamart

Srv2

Cubes

Srv3 Srv4

Web

FBA Kerberos

Srv1

Datamart

Srv2

Cubes

Srv3 Srv4

Web

Protocol Transition

• Uses Protocol Transition (Domain limited)

(Constrained Only)

• Excel Services

• Visio Services

• PerformancePoint

• InfoPath Form Services

• Does NOT Use Protocol Transition (Forest limited)

(Unconstrained or Constrained)

• SQL Reporting Services

• BCS

• Access Services

• Project Server

• Doesn’t usually require Kerberos

• PowerPivot for SharePoint Server

For 2010 & 2013

Q & Ahttp://wadingthrough.com/presentations

References• Ken Schaefer’s Multi-Part Kerberos Blog Posts:

http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx

• What Is Kerberos Authentication?

http://technet.microsoft.com/en-us/library/cc780469%28WS.10%29.aspx

• How the Kerberos Version 5 Authentication Protocol Works

http://technet.microsoft.com/en-us/library/cc772815%28WS.10%29.aspx

• Explained: Windows Authentication in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ff647076.aspx

References• Kerberos Authentication Tools and Settings

http://technet.microsoft.com/en-us/library/cc738673%28WS.10%29.aspx

• How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ff649317.aspx

• Spence Harbar’s Blog

http://www.harbar.net

38 | SharePoint Saturday St. Louis 2012

Housekeeping• Follow SharePoint Saturday

Ozarks on Twitter @SPSOzarks hashtag #SPSOzarks

• Stop by and thank our sponsors for making this event possible!

• Fill out and turn in evaluation forms to be eligible for the end-of-day raffle. You must be present to win.

• Don’t miss “This Modern Station” tonight at Waxy O’Shea’s!

Thanks to Our Sponsors!

Title Platinum

Thanks to Our Sponsors!

Gold Silver Raffle

The Endhttp://wadingthrough.com/presentations

Appendix

• Kerberos is an open authentication protocol. Kerberos v5 was invented in 1993 at MIT.

• Authentication is the process of proving your identity to a remote system.

• Your identity is who you are, and authentication is the process of proving that. In many

systems your identity is your username, and you use a secret shared between you and

the remote system (a password) to prove that your identity.

• User password is encrypted as the user key. User key is stored in credentials cache. Once the

logon session key is received, the user key is discarded.

• Service password is encrypted as the service key.

• KDCs are found through a DNS query. Service registered in DNS by DCs.

• Showing detail behind what is happening inside of KDC but for day-to-day, use can just remember

KDC

• Another reason for simplification: encryption upon encryption upon encryption…just remember it is

encrypted

• This is a Windows-centric Kerberos presentation

• Load balanced solutions need service account

• All web applications hosted using the same SPN have to be hosted with the same account

• Use A records, not CNAME records

• Terms

• Key Distribution Center (KDC) – In Windows AD, KDC lives on domain controllers (DC), KDCs

share a long term key across all DCs.

• KDC security account database – In Windows, it is Active Directory

• Authorization Service (AS) – part of the KDC

• Ticket Granting Service (TGS) – part of the KDC

• Ticket Granting Ticket (TGT) - A user's initial ticket from the authentication service, used to request

service tickets, and meant only for use by the ticket granting service. Keeps the user from having

to enter password each time a ticket is requested.

Tickets• Ticket Granting Ticket (TGT)

• A user's initial ticket from the authentication service

• Used to request service tickets

• Meant only for use by the ticket-granting service.

• Service ticket for the KDC (service class = krbtgt)

• Service Ticket

• Enables the ticket-granting service (TGS) to safely transport the requester's credentials to the

target server or service.

Tools• Knowledge

• SetSPN

• Windows Security Logs

• Windows 2008 ADUC or ADSIEdit

• Kerbtray or Klist

• Netmon and Fiddler

• IIS Logs and IIS7 Failed Request Tracing

• LDP

• Kerberos Logging

• Event Logging and/or Debug Logs

• Troubleshooting

• Have user logon and logoff if they don’t regularly: TGTs are only renewable for so long

and then they expire (7 day default), then password has to be re-entered.

• Remember that authenticators contain the current time. Check for time sync issues.

• Common Issues

• Missing SPN

• Duplicate SPN

• SPN assigned to wrong service account

• Times are out of sync

• Client TGT expired (7 days)

• IE and non-default ports

• Request TGT (Remember there is even more complexity)

1. User (client) logs into workstation entering their password.

2. Client builds an authentication service request containing the user’s username (KPN), the SPN

of the TGS, and encrypts the current time using the user’s password as an authenticator.

3. Client sends these three items to the KDC.

4. KDC get user’s password from AD, decrypts time and verifies it is valid.

5. AS generates a logon session key and encrypts with the user’s password. AS generates a

service ticket which contains a logon session key and the user’s KPN encrypted with the AS

shared key. This is a special service ticket called a Ticket Granting Ticket (TGT).

• Request TGT (Remember there is even more complexity)

6. KDC sends both to the client.

7. Client decrypts logon session key using its password and stores the logon session key in cache.

The client stores the TGT in cache.

• Access Service (Remember there is even more complexity)

1. User (client) encrypts the current time using the logon session key in cache creating an

authenticator and sends the authenticator, the user’s KPN, the name of the target service (SPN),

and the TGT to the TGS.

2. TGS decrypts the TGT using its shared key to access the logon session key. The logon session

key is used to decrypt the authenticator and confirms the time is valid.

3. TGS extracts the user’s KPN from the TGT. TGS generates a service session key and encrypts

the service session key using the logon session key. TGS uses server session key to generate

service ticket and encrypts it using service’s password.

4. TGS sends service session key and the service ticket to the client.

• Access Service (Remember there is even more complexity)

5. Client decrypts service session key using cached logon session key, adds current time (as well

as other items), and encrypts with the service session key to create an authenticator.

6. Client sends ticket and authenticator to remote server which runs service.

7. Service decrypts service ticket accessing the server session key and the KPN. Using the service

session key, the service decrypts the authenticator and confirms the current time is valid. A

Windows access token is generated

8. (Optional) If client requests mutual authentication, service encrypts current time using the

service session key creating an authenticator and sends to the client.

9. Clients decrypts authenticator and validates time.

Troubleshooting Tools

• Patience – Test methodically and

• Knowledge - Know your Forests, Domains, Trusts, Functional Levels…get a basic lay of the land.

• Always test from a different machine than the web server or domain controller!

• SetSPN

• Windows Security Logs

• Windows 2008 ADUC

• Kerbtray

• Netmon and Fiddler

• IIS Logs and IIS7 Failed Request Tracing

• Kerberos Logging

• Event Logging and/or Debug Logs

Common Issues that break Kerberos

• Times are out of sync – authenticators contain current time

• Missing SPN

• Duplicate SPN

• SPN assigned to wrong service account

• IIS Providers are incorrect (For IIS 5 or 6, see http://support.microsoft.com/kb/215383)

• IIS 7 – remember Kernel mode authentication and check settings

• Client TGT expired (7 days expiration – have user logon and logoff, no reboot required)

• IE and non-default ports