Windows NT Windows NT ® ® Single Single Sign On Sign On BackOffice BackOffice ® Applications (Part Applications (Part I) I) Peter Brundrett Peter Brundrett Program Manager Program Manager Windows NT Security Windows NT Security Microsoft Corporation Microsoft Corporation
32
Embed
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Windows NTWindows NT®® Single Single Sign On Sign On BackOfficeBackOffice®® Applications (Part I) Applications (Part I)
Peter BrundrettPeter BrundrettProgram Manager Program Manager Windows NT SecurityWindows NT SecurityMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Windows NT single sign onWindows NT single sign on Kerberos v5 authentication and SSPIKerberos v5 authentication and SSPI Three-tier security delegationThree-tier security delegation Windows NT authorizationWindows NT authorization
Single Sign On IssuesSingle Sign On Issues
User issue:User issue: Too many passwords to rememberToo many passwords to remember
Administrator issue:Administrator issue: Too many places to define user accountsToo many places to define user accounts Hard to determine user accessHard to determine user access
Security issue:Security issue: Clear text passwordsClear text passwords Hard to disable an accountHard to disable an account
IT Manager issue:IT Manager issue: Heterogeneous computer systemsHeterogeneous computer systems
Single Sign On GoalsSingle Sign On Goals
UserUser Logon once to the EnterpriseLogon once to the Enterprise Use few passwords, ideally one!Use few passwords, ideally one!
AdministratorAdministrator Create user account onceCreate user account once Assign access based on rolesAssign access based on roles Manage accounts across systemsManage accounts across systems
Security administratorSecurity administrator Define and verify security policiesDefine and verify security policies
Private key and Private key and certificate on cardcertificate on card
Public key domain Public key domain authenticationauthentication
Windows NT Single Sign OnWindows NT Single Sign On
Standards-based Distributed Standards-based Distributed System InfrastructureSystem Infrastructure
Well documented APIs for developersWell documented APIs for developers Platform services used in applicationsPlatform services used in applications Integrated logon to strategic platformsIntegrated logon to strategic platforms Integrated Windows NT authorizationIntegrated Windows NT authorization
File and File and Print Print ServicesServices
ExchangeExchangeSQL SQL ServerServer
Internet Internet InformationInformation
ProxyProxy
InternetInternet
Remote Remote AccessAccess
Public Public networknetwork
YourYour app app HERE HERE
YourYour app app
HERE HERE
SNA SNA ServerServer
Integrated Single Sign Integrated Single Sign On TodayOn Today
BackOffice Logo ProgramBackOffice Logo Program
Security requirements for client/ Security requirements for client/ server applicationsserver applications
Core baseline requirementsCore baseline requirements Windows NT authenticationWindows NT authentication
NTLM for Windows NT 4.0NTLM for Windows NT 4.0 Kerberos v5 for Windows NT 5.0Kerberos v5 for Windows NT 5.0
Connection authenticationConnection authentication Establish credentialsEstablish credentials Mutual authentication of client and serverMutual authentication of client and server
Secure communicationSecure communication Message privacy and integrityMessage privacy and integrity
Impersonation and delegationImpersonation and delegation Assuming client’s identityAssuming client’s identity
Authorization and auditingAuthorization and auditing Using security descriptorsUsing security descriptors
Client sideClient side Acquire credentialsAcquire credentials
Default or alternateDefault or alternate Initialize security contextInitialize security context Initiate connectionInitiate connection
Server sideServer side Acquire credentialsAcquire credentials
Default or alternateDefault or alternate Accept client’s security contextAccept client’s security context
Example: SSPI Example: SSPI
Security package nameSecurity package name ““Kerberos” or “Negotiate”Kerberos” or “Negotiate” Negotiate package will choose KerberosNegotiate package will choose Kerberos
Using DCOMUsing DCOM IServerSecurityIServerSecurity CoImpersonate ClientCoImpersonate Client CoRevertToSelfCoRevertToSelf
For HTTP, Internet For HTTP, Internet Information Server Information Server impersonates impersonates the clientthe client ISAPI runs in the ISAPI runs in the
Kerberos service uses Active DirectoryKerberos service uses Active Directory Implemented by SSPI security providerImplemented by SSPI security provider Mutual authenticationMutual authentication Supports 3-tier delegation Supports 3-tier delegation Windows NT access controlWindows NT access control Standards-based interoperabilityStandards-based interoperability
Three-Tier Three-Tier Security DelegationSecurity Delegation End-to-end user authenticationEnd-to-end user authentication Application requires data Application requires data
from several sourcesfrom several sources Flexibility to separate Web server Flexibility to separate Web server
from back-end data serversfrom back-end data servers Single user accountSingle user account
Simplify user managementSimplify user management
Access control through groups Access control through groups
Example: Delegation Example: Delegation in Actionin Action
Configuration SetupConfiguration Setup
Windows NT 5.0 with Kerberos protocolWindows NT 5.0 with Kerberos protocol Internet Information ServerInternet Information Server SQL ServerSQL Server™™
Client is Windows NT 5.0 or Client is Windows NT 5.0 or WindowsWindows®® 95/98 95/98 With Distributed Systems client updateWith Distributed Systems client update
Internet Information Server Internet Information Server Virtual Directory uses Virtual Directory uses “Windows NT Authentication”“Windows NT Authentication”
SQL Server is using Integrated SecuritySQL Server is using Integrated Security
Trusted For DelegationTrusted For Delegation
Delegation means…Delegation means… Server can do anything on behalf of clientServer can do anything on behalf of client Trusted not to run unauthorized servicesTrusted not to run unauthorized services Enabled on per-server basisEnabled on per-server basis
Enable on the computer object Enable on the computer object in Active Directoryin Active Directory
Do not assume delegation Do not assume delegation is always enabled!is always enabled!
Windows NT AuthorizationWindows NT Authorization
What is the client allowed to do?What is the client allowed to do? Single sign on is not sufficientSingle sign on is not sufficient
Centralize authorization through rolesCentralize authorization through roles Windows NT group membershipWindows NT group membership
Integrate authentication with server Integrate authentication with server security modelsecurity model
Windows NT object security modelWindows NT object security model
SecureSecureServerServer
Client access requestClient access request
Impersonate ClientImpersonate Client
Get object’sGet object’ssecuritysecuritydescriptordescriptor
Get client’s Get client’s access tokenaccess token
Synchronize with other account storesSynchronize with other account stores Directory synchronization - LDAP, LDIFDirectory synchronization - LDAP, LDIF Password change notificationPassword change notification
Authorization based on group Authorization based on group membership for central access controlmembership for central access control Roles defined by group membershipRoles defined by group membership
Single Sign On SummarySingle Sign On Summary
Comprehensive solution todayComprehensive solution today Windows NT and BackOffice servicesWindows NT and BackOffice services Platform security services for applicationsPlatform security services for applications
Cross-platform with industry standardsCross-platform with industry standards Kerberos v5 and GSS token formatsKerberos v5 and GSS token formats X.509 v3 certificates with SSL/TLSX.509 v3 certificates with SSL/TLS
Familiar Windows NT security model Familiar Windows NT security model extended to n-tier applicationsextended to n-tier applications
Call To ActionCall To Action
Stop prompting for passwords!Stop prompting for passwords! Use Windows NT distributed securityUse Windows NT distributed security Use SSPI or DCOM/RPC securityUse SSPI or DCOM/RPC security Use Windows NT access controlUse Windows NT access control
Leverage industry standard protocols Leverage industry standard protocols for cross-platform securityfor cross-platform security
Depend on Active Directory for single Depend on Active Directory for single user account storeuser account store
Check out the Security Showcase!Check out the Security Showcase!
More InformationMore Information
SSPISSPI SSPI Whitepaper on MSDNSSPI Whitepaper on MSDN Platform SDK: doc and samplesPlatform SDK: doc and samples \mssdk\samples\win32\winnt\security\sockauth\mssdk\samples\win32\winnt\security\sockauth