Kerberos Introduction

Kerberos in Greek mythology was the three-headed dog guarding the gates to the underworld

Kerberos was developed as part of MITs Athena project and taken on board as the default authentication protocol by MS in Windows 2000.

All flavours of Kerberos provide authentication however the MS implementation does provide extensions for authorization.

So what does that mean?

THE default authentication protocol

for AD.

Based on a trusted third party model

Provides a mechanism for authentication

and

mutual authentication between a client and a

server

Based on Tickets containing client

credentials encrypted with Shared keys.

Authentication Interoperability

Impersonation

Increased authentication efficiencies

(Its just faster)

Mutual authentication

(It can verify you and you can verify it)

Protocol Transition

(first NTLM then Kerberos)

Constrained Delegation

(Impersonation with Rules)

Smartcards

The KDC

• KDC trusted 3rd party, provides scalability • KDC made up of 2 sub services

•(AS) Authentication Service,

•(TGS) Ticket Granting Service

•The KDC holds a copy of each entities Master Key (Symmetric Crypto) •The KDC issues the Keys, encrypted with the Master Key to each entity

WWW.K2.COM

Service DNS Entry FQDN Service Account SPNs

Blackpearl

Server

k2server.k2.com K2\K2serviceaccount K2server/ k2server.k2.com:5252

K2server/k2server:5252

K2HostServer/

k2server.k2.com:5555

K2HostServer/ k2server:5555

Blackpearl

Web

Components

k2wks.k2.com K2\K2workspaceaccount HTTP/k2wks.k2.com

HTTP/k2wks

SSRS 2005 ssrs.k2.com K2\SSRSserviceaccount HTTP/ssrs

HTTP/ssrs.k2.com

Web App SharePoint.k2.com K2\MOSSserviceaccount HTTP/SharePoint

HTTP/SharePoint.k2.com

SQL Server K2sql.k2.com K2\SQLserviceaccount MSSQLSvc/k2sql:1433

MSSQLSvc/k2sql.k2.com:1433

SPNs

Delegation •Windows 2000 the users TGT is passed to the service to facilitate delegation

•Windows 2003 the service ticket can be used to request a new ticket

•Windows 2000 allowed only for non constrained delegation model

•Windows 2003 introduced constrained delegation, this prevents user delegation to any system

•Constrained delegation is only available when running 2003 native! •To check attribute on AD account holding the delegate to SPNs

• “msDS-AllowedToDelegateTo” (see Adsiedit.msc)

WWW.K2.COM

K2 CONFIDENTIAL

WITHOUT KERBEROS

NTLM (Anonymous)

WWW.K2.COM

K2 CONFIDENTIAL

Kerberos

Kerberos

Integrated

SQL

Kerberos

1. Plan

2. Understand all the services in play and how they will talk

amongst each other

3. Get service accounts for each service (best practice

should be 1 per a service!)

4. Get machine A NAME records and any Host Headers in

IIS (Use A NAME records and avoid port numbers in

HTTP requests)

5. Generate required SPNs (Script?)

6. Enable user accounts for delegation

7. Determine the Delegation

8. Is PT required?

system.webServer/security/authentication/Windows-Authentication

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

MSSQLSvc/FQDN:[port | instancename],

MSSQLSvc/FQDN:port | MSSQLSvc/FQDN

Troubleshooting

Auditing Logging Debug Network

Tracing

Auditing HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

-“LogLevel” DWORD value of 1

-For Temporary use only

Logging -“LogToFile” DWORD value 1,

-log to file “C:\Windows\System32\lsass.log”

Debug

-“KerbDebugLevel”

-DWORD value c0000043 (this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff).

Some common Kerberos failure codes

•KDC_ERR_C_PRINCIPAL_UNKNOWN

•STATUS_NO_SUCH_USER 0x6

•KDC_ERR_S_PRINCIPAL_UNKNOWN

•Server not found in Kerberos database 0x7

•- KDC_ERR_PRINCIPAL_NOT_UNIQUE

•Multiple principal entries in database 0x8

•KDC_ERR_KEY_EXPIRED

•Password has expired – change password to reset 0x17

•KRB_AP_ERR_SKEW

•Clock skew too great 0x25

•KRB_ERR_RESPONSE _TOO_BIG

•Response too big for UDP, retry with TCP 0x34

Troubleshooting

-Use the Windows security log, look for 540 events showing you the protocol used and any transited services -Check for duplicate SPNs -Check SPN Syntax -Check Delegation Settings -ADSI is your friend

Multiforest

-Kerberos since 2003 is supported across forests via the use of forest level trust introduced in Windows 2003 -Delegation across forests is not supported -FQDNs required to resolve across forests -Root hints used to find target KDC

http://technet.microsoft.com/en-us/library/bb742516.aspx