Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010

About Speaker / Trainer Author

Agenda Understand how Kerberos works – Inside domain – Inside Forest (across multiple domains) – Across Forest Troubleshoot common Kerberos problems – What tools can we use

Kerberos / NTLM You can practically disable NTLM and with this „force“ Kerberos in your environment – With this you get higher security Before you do, if Kerberos fails it will fall back to NTLM You want to test Kerberos in your environment and see what breaks After you disable NTLM, Kerberos has nothing to fall back to – so you better make sure Kerberos is working and you know how to troubleshoot it

Kerberos / Authentication Service User AuthN. 1) KRB_AS_REQ 1a – User (PC) sends KRB_AS_REQ to DC. In the packet are: -User‘s name (e.g. Mike) -Service name (e.g. krbtgt/corp.krneki.net) that we wish Ticket Granting Service (TGS) for -Pre-Authentication that is derived from user account password (one way function is used to protect the password) 1b – KDC will check its DB generate and locate user account (Mike) It will check the pre-authentication data by using information on user account Mike in its own database - It will use same one way function. If DC gets same result this means that user entered correct password 1c – KDC generates packet for the client ….

Kerberos / Authentication Service User AuthN. 1) KRB_AS_REP 1c – KDC generates packet for the client …. In this packet there are: -New session logon keys encrypted with user account master key -Seconds copy of master key, authorization data in TGT. TGT is encrypted with KDC master key 1d – Client will decrypt its session key using its own master key and will store the session key in cache It will also cache extracted TGT

Kerberos / AS Network Trace User Account

Kerberos / AS Network Trace Computer Account

Kerberos / TGS User AuthN. 1) KRB_TGS_REQ 2a - User sends KRB_TGS_REQ to DC. In the packet are: -Service that user would like to access (including server name) -Authenticator encrypted with user‘s session key (in cache from previous steps) -TGT from previous steps 2b – KDC decrypts TGT with its own master key (remember that TGT was encrypted with KDC master key) It will also extract user‘s session key. Session key is used to decrypt user authenticator and authenticator is validated At this stage new session key is created and will be used to access the service 2c – KDC generates packet for the client …. New session key from 2b is -Session key encrypted with Mike logon session key -Session key encrypted with server$ using server$ master key 1) KRB_TGS_REP

Kerberos / TGS

Kerberos / Client Server Exchange User Authentication 1) KRB_AP_REQ 2a - PC sends KRB_AP_REQ to DC. In the packet are: -Authenticator encrypted with session key of DC/Server$ -Ticket for session with DC$ encrypted with DC‘s$ master key 1) KRB_AP_REP

Client to server User Authentication to another server We already have AS 1a KRB_TGS_REQ 1a - PC sends KRB_TGS_REQ to DC. In the packet are: -What service and server we want to connect to (e.g. ldap/server1.corp.krneki.net) -Authenticator -TGT that we already have 1b KRB_TGS_REP Server1.corp.krneki.net 1b – DC receives the TGS_REQ -DC will decrypt the TGT with its master key -It will create new session key for Server1 -It will generate new packet -One session key is protected with session key of Administrator - Copy of session key is protected with Server1 master key

Client to server User Authentication to another server We already have AS 1a KRB_TGS_REQ 2a – We are ready to talk to Server1. We send KRB_AP_REQ packet and in the packet are: -Authenticator protected with Server1 session key -Ticket that we received from DC for Server1 that is protected with Server1 master key 2b KRB_AP_REP 1b KRB_TGS_REP 2a KRB_AP_REQ Server1.corp.krneki.net 2b – Server1 will decrypt the session key with its own master key. It will extract the authenticator. If everything is OK it will sends back KRB_AP_REP

Client to server If we want to connect to another server (Server2) we have to repeat the whole KRB_REQ_TGS and KRB_AP_REQ procedure

SPN / Service Principal Name Very important component of Kerberos

SPN / Service Principal Name (cont). Very often source of Kerberos problems – Missing SPNs – SPNs registered on wrong objects – Multiple objects sharing same SPN Tools that we can use to troubleshoot are – setspn.exe setspn –x (looks for double SPNs) can also register SPNs on object – ADSIEdit, LDP, …

SPN / Service Principal Name (cont). SPNMappings

SPN / Service Principal Name (cont). SetSPN.exe setspn -A MSSQLSvc/server1.corp.krneki.net:1433 CORPDC1

Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net If IIS is running as Network Service SPN must be registered on computer account sqlcl1.corp.krneki.net

Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net IIS server needs to talk to SQL -It need to authenticate to DC -It must find SQL SPN! KRB_TGS_REQ MSSQLSvc/server7.corp.krneki. net:1433 DC must find this SPN! sqlcl1.corp.krneki.net

Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net Server1.corp.krneki.net If IIS is running with custom account SPN http/intranet… must be registered on this custom account! sqlcl1.corp.krneki.net If SQL is running under dedicated account SPN must be registered under this account

Common scenarios and problems If you change from Computer account or Network Service to custom account in your environment, don‘t forget to: – Remove SPN names from Computer Account – Add SPN to custom service Always remember, there can be only one ;-) – SPN name can be registered to only one object at the time – You can use SetSPN –x to test your environment and find all double SPNs

Common scenarios and problems Easiest way to troubleshoot Client – Web - SQL Use Network Monitor – Install Network Monitor on the client and see what SPN the client is sending for e.g. web server Make sure that that SPN is registered on CORRECT object – Install network monitor on web server and see what SPN web server is using to address the SQL Make sure that that SPN is registered on CORRECT object

Across Domain and Forest When client specifies where it wants to connect (specifies SPN) DC will look in its database for that SPN. If it can‘t find it in its local domain it will query GC (Global Catalog) if this SPN exists in the forest. If it exists in the forest it will send the client a referral to the domain controller in another domain…

Across Domain and Forest If we have Forest Trust, DC will check TDO (Trusted Domain Object) TDO contains information trusting forest – Gives information about „routing“ requests to other domains or forests Domain suffixes – Information is stored and replicated to Global Catalogs in the forest

Group Policies and Kerberos Default settings defining Kerberos – Service ticket by default valid for 10 hours – User ticket by default valid for 10 hours

Group Policies and Kerberos Forest search order – Windows 7 and Windows Server 2008 R2

Summary Before you switch to pure Kerberos, make sure it is working and it is not falling back to NTLM Pay attention to SPNs or Kerberos will not work! Easiest way to troubleshoot is to use Network Monitor

Q&A