GOPAS TechEd 2012 Kerberos Delegation Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Kerberos Delegation
Basic Delegation Client Front-End Server Back-End Server DC Password TGT: User TGS: Back-End DC
Kerberos Delegation Options
Kerberos Delegation Options Unconstrained Delegation DFL 2000 to any back-end service user “knows” about it Constrained Delegation DFL 2003 to listed back-end SPNs user does not know about it Constrained Delegation with Protocol Transition
Kerberos Delegation (Simplified) Client Front-End Server Back-End Server TGS: Front-End TGT: User TGS: Back-End TGS: Front-End DC DC
AD Delegation Requirements Front-end account must be able to read tokenGroups and tokenGroupGlobalandUniversal attributes Windows Authorization Access Group 2003 schema update User account must have delegation enabled Account is sensitive and cannot be delegated
Protocol Transition Requirements Protocol Transition requires Act as part of operating system (SeTCBPrivilege) Protocol Transition requires front-end resource domain = account domain
Kerberos with IIS 7+ Providers Kernel Mode Authentication SharePoint does not support it useAppPoolCredentials
Protocol Transition Client Front-End Server Back-End Server DC Nothing Kamil TGS: Back-End DC
GOPAS TechEd 2012 Thank you! Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Thank you!