1 / 42

Windows Authentication

GOPAS TechEd 2012. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Windows Authentication. Windows Authentication. An Introduction. The topics. The hell of windows authentication mechanisms

tala
Download Presentation

Windows Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Windows Authentication

  2. Windows Authentication An Introduction

  3. The topics • The hell of windows authentication mechanisms • Basic, NTLM, Kerberos • Certificates and smart cards or tokens • How they work differently • What is better or worse • Weird and weirder things that you may not know

  4. And the environment • Windows 2000 and newer • Active Directory domains • Maybe some trusts or multidomain forests • Connections to SMB, LDAP, Exchange, SQL, HTTP, WMI, remote administration, RDP and other servers • Ideally SSO

  5. Windows Authentication Network Interactions

  6. Local Logon Client 2000+ TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC2000+

  7. CTRL-ALT-DEL Password • Password is stored in memory only • LSASS process • In the form of MD4 hash • never given out

  8. Authentication Interactions in General App Traffic Client 2000+ Server2000+ In-band TGS: Server NTLM Occasional PAC Validation Kerberos SMB D/COM TGT: User NTLMPass-through TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

  9. The three authentication methods • Basic • plain-text password • results in Kerberos authentication • NTLM • hashed password (MD4) method from the past • LM (DES), NTLM (DES), NTLMv2 (MD5) • Kerberos • hashed password (MD4)plus RC4/DES or AES • mutual authentication and delegation • can use certificates instead of passwords

  10. Basic and RDP Network Logon App Traffic Client 2000+ Server2000+ In-band clear text Kerberos TGT: User DC2000+ DC2000+

  11. NTLM Network Logon App Traffic Client 2000+ Server2000+ In-band NTLM hash SMB D/COM Pass-through NTLM hash D/COM Dynamic TCP DC2000+ DC2000+

  12. Kerberos Network Logon (basic principle) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos TGT: User TGS: Server DC2000+

  13. Kerberos Network Logon (complete) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos SMB D/COM Occasional PAC Validation TGT: User TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

  14. Windows Authentication Performance Comparison

  15. NTLM Network Logon Client 2000+ Server2000+ 60 % CPU 55 % CPU DC2000+ DC2000+

  16. Kerberos Network Logon, no PAC Validation Client 2000+ Server2000+ 60 % CPU 0 % CPU DC2000+ DC2000+

  17. Kerberos Network Logon with PAC Validation Client 2000+ Server2000+ 60 % CPU 14 % CPU 0 % CPU DC2000+ DC2000+

  18. Basic Authentication Client 2000+ Server2000+ 5 % CPU 0 % CPU DC2000+ DC2000+

  19. NTLM Performance Issues Client Client Server Client Client Client Client Client 7 concurrent 40 sec. DC

  20. NTLM Trusts D\User A\Server DC A DC D DC C DC B

  21. Kerberos Trusts D\User A\Server DC A DC D DC C DC B

  22. Windows Authentication We Want Kerberos, so what?

  23. Basic Facts • Do not use IP addresses • Configure SPN (service principal name) • Have time in sync • Use trusted identities to run services on Windows 2008 and newer • instead of AD user accounts • no PAC validation • Enable AES with Windows 2008 DFL

  24. Trusted Identities – Network Service

  25. Trusted Identities – Service Accounts

  26. Trusted Identities – AppPoolIdentity

  27. Trusted Identities – Managed Service Account

  28. Windows Authentication Identity Isolation FOR Services

  29. Identity Isolation • Services on a single machine • Services that access other back-end services

  30. Windows Identities

  31. Kerberos Underworld Smart Card Logon

  32. Smart Card Logon App Traffic Client 2000+ Server2000+ Kerberos PKINIT TGT: User TGS: Server DC2000+ DC2000+

  33. Smart Card Logon and NTLM Client 2000+ Server2000+ NTLM Hash TGT: User NTLM Hash TGS: Server DC2000+ DC2000+

  34. Smart Card Logon and NTLM Client 2000+ Server2000+ NTLM Hash TGT: User NTLM Hash TGS: Server NTLM Hash DC2000+ DC2000+

  35. Windows Authentication Delegation

  36. Kerberos Delegation • GeekRoom • Úterý 14:15 • Úterý 15:45

  37. Windows Authentication Group Membership

  38. Group Membership Limits • AD Group in forest with 2000 FFL • 5000 direct members limit • AD Group in forest with 2003+ FFL • unlimited membership • Kerberos Ticket • network transport • limited to 8 kB on 2000 and XP • up to 12 kB on 2003+ • HTTP.SYS header limits • 16 kB of Base-64 encoded tickets • Access Token • local representation of a logon • up to 1025 groups including local and system

  39. Kerberos Ticket (PAC)

  40. Windows Authentication Takeaway

  41. Takeaway • Kerberos is the most secure, flexible and performance efficient • Don’t be afraid and play with them!

  42. GOPAS TechEd 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!

More Related