1 / 29

Kerberos

Kerberos. Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010. About. Speaker / Trainer Author. Agenda. Understand how Kerberos works Inside domain Inside Forest (across multiple domains) Across Forest Troubleshoot common Kerberos problems

ollie
Download Presentation

Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Kerberos Miha Pihler MVP – EnterpriseSecurity Microsoft Certified Master | Exchange 2010

  2. About • Speaker / Trainer • Author

  3. Agenda • Understand how Kerberos works • Inside domain • Inside Forest (across multiple domains) • Across Forest • Troubleshoot common Kerberos problems • What tools can we use

  4. Kerberos / NTLM • You can practically disable NTLM and with this „force“ Kerberos in your environment • With this you get higher security • Before you do, if Kerberos fails it will fall back to NTLM • You want to test Kerberos in your environment and see what breaks • After you disable NTLM, Kerberos has nothing to fall back to – so you better make sure Kerberos is working and you know how to troubleshoot it

  5. Kerberos / AuthenticationService • 1a – User (PC) sends KRB_AS_REQ to DC. • In the packet are: • User‘s name (e.g. Mike) • Service name (e.g. krbtgt/corp.krneki.net) that we wish Ticket Granting Service (TGS) for • Pre-Authentication that is derived from user account password (one way function is used to protect the password) • User AuthN. 1) KRB_AS_REQ 1b – KDC will check its DB generate and locate user account (Mike) It will check the pre-authentication data by using information on user account Mike in its own database - It will use same one way function. If DC gets same result this means that user entered correct password 1c – KDC generates packet for the client ….

  6. Kerberos / AuthenticationService • 1c – KDC generatespacketfortheclient…. • In thispacketthereare: • New sessionlogonkeysencryptedwithuseraccountmasterkey • Secondscopyofmasterkey, authorizationdata in TGT. TGT is encryptedwith KDC masterkey • User AuthN. 1d – Clientwilldecryptitssessionkeyusingitsownmasterkeyandwill store thesessionkey in cache It willalsocacheextracted TGT 1) KRB_AS_REP

  7. Kerberos / AS NetworkTrace • User Account

  8. Kerberos / AS NetworkTrace • ComputerAccount

  9. Kerberos / TGS • 2a - User sends KRB_TGS_REQ to DC. • In the packet are: • Service that user would like to access (including server name) • Authenticator encrypted with user‘s session key (in cache from previous steps) • TGT from previous steps • User AuthN. 1) KRB_TGS_REQ 2b – KDC decrypts TGT with its own master key (remember that TGT was encrypted with KDC master key) It will also extract user‘s session key. Session key is used to decrypt user authenticator and authenticator is validated At this stage new session key is created and will be used to access the service 1) KRB_TGS_REP • 2c – KDC generates packet for the client …. New session key from 2b is • Session key encrypted with Mike logon session key • Session key encrypted with server$ using server$ master key

  10. Kerberos / TGS

  11. Kerberos / Client Server Exchange • User Authentication • 2a - PC sends KRB_AP_REQ to DC. • In the packet are: • Authenticator encrypted with session key of DC/Server$ • Ticket for session with DC$ encrypted with DC‘s$ master key 1) KRB_AP_REQ 1) KRB_AP_REP

  12. Client to server • User Authentication to anotherserver • Wealreadyhave AS • 1a - PC sends KRB_TGS_REQ to DC. • In thepacket are: • Whatserviceandserverwewant to connect to (e.g. ldap/server1.corp.krneki.net) • Authenticator • TGT thatwealreadyhave 1a KRB_TGS_REQ 1b KRB_TGS_REP • 1b – DC receivesthe TGS_REQ • DC willdecryptthe TGT withitsmasterkey • It willcreatenewsessionkeyfor Server1 • It willgeneratenewpacket • One sessionkey is protectedwithsessionkeyof Administrator • - Copyofsessionkey is protectedwith Server1 masterkey Server1.corp.krneki.net

  13. Client to server • User Authentication to another server • We already have AS • 2a – We are ready to talk to Server1. We send KRB_AP_REQ packet and in the packet are: • Authenticator protected with Server1 session key • Ticket that we received from DC for Server1 that is protected with Server1 master key 1a KRB_TGS_REQ 1b KRB_TGS_REP 2a KRB_AP_REQ • 2b – Server1 will decrypt the session key with its own master key. It will extract the authenticator. If everything is OK it will sends back KRB_AP_REP 2b KRB_AP_REP Server1.corp.krneki.net

  14. Client to server • If we want to connect to another server (Server2) we have to repeat the whole KRB_REQ_TGS and KRB_AP_REQ procedure

  15. SPN / Service Principal Name • Very important component of Kerberos

  16. SPN / Service Principal Name (cont). • Very often source of Kerberos problems • Missing SPNs • SPNs registered on wrong objects • Multiple objects sharing same SPN • Tools that we can use to troubleshoot are • setspn.exe • setspn –x (looks for double SPNs) • can also register SPNs on object • ADSIEdit, LDP, …

  17. SPN / Service Principal Name (cont). • SPNMappings

  18. SPN / Service Principal Name (cont). SetSPN.exe setspn-A MSSQLSvc/server1.corp.krneki.net:1433 CORPDC1

  19. Common scenarios and problems • User to Web Server, Web Server to SQL DB dc1.corp.krneki.net KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! intranet.corp.krneki.net If IIS is running as Network Service SPN must be registered on computer account http://intranet.corp.krneki.net http://intranet sqlcl1.corp.krneki.net

  20. Common scenarios and problems • User to Web Server, Web Server to SQL DB KRB_TGS_REQ MSSQLSvc/server7.corp.krneki.net:1433 DC must find this SPN! dc1.corp.krneki.net KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! • intranet.corp.krneki.net • IIS serverneeds to talk to SQL • It need to authenticate to DC • It mustfind SQL SPN! http://intranet.corp.krneki.net http://intranet sqlcl1.corp.krneki.net

  21. Common scenarios and problems • User to Web Server, Web Server to SQL DB dc1.corp.krneki.net KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! intranet.corp.krneki.net Server1.corp.krneki.net If IIS is runningwithcustomaccount SPN http/intranet… mustberegistered on thiscustomaccount! http://intranet.corp.krneki.net http://intranet sqlcl1.corp.krneki.net If SQL is runningunderdedicated account SPN mustberegistered underthisaccount

  22. Commonscenariosandproblems • If you change from Computer account or Network Service to custom account in your environment, don‘t forget to: • Remove SPN names from Computer Account • Add SPN to custom service • Always remember, there can be only one ;-) • SPN name can be registered to only one object at the time • You can use SetSPN –x to test your environment and find all double SPNs

  23. Commonscenariosandproblems • Easiest way to troubleshoot Client – Web - SQL • Use Network Monitor • Install Network Monitor on the client and see what SPN the client is sending for e.g. web server • Make sure that that SPN is registered on CORRECT object • Install network monitor on web server and see what SPN web server is using to address the SQL • Make sure that that SPN is registered on CORRECT object

  24. AcrossDomainandForest • When client specifies where it wants to connect (specifies SPN) DC will look in its database for that SPN. If it can‘t find it in its local domain it will query GC (Global Catalog) if this SPN exists in the forest. • If it exists in the forest it will send the client a referral to the domain controller in another domain…

  25. AcrossDomainandForest • If we have Forest Trust, DC will check TDO (Trusted Domain Object) • TDO contains information trusting forest • Gives information about „routing“ requests to other domains or forests • Domain suffixes • Information is stored and replicated to Global Catalogs in the forest

  26. Group Policies and Kerberos • Default settings defining Kerberos • Service ticket by default valid for 10 hours • User ticket by default valid for 10 hours

  27. Group Policies and Kerberos • Forest search order • Windows 7 and Windows Server 2008 R2

  28. Summary • Before you switch to pure Kerberos, make sure it is working and it is not falling back to NTLM • Pay attention to SPNs or Kerberos will not work! • Easiest way to troubleshoot is to use Network Monitor

  29. Q&A miha.pihler@telnet.si

More Related