Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation

Agenda  Windows NT single sign on  Kerberos v5 authentication and SSPI  Three-tier security delegation  Windows NT authorization

Single Sign On Issues  User issue: Too many passwords to remember Too many passwords to remember  Administrator issue: Too many places to define user accounts Too many places to define user accounts Hard to determine user access Hard to determine user access  Security issue: Clear text passwords Clear text passwords Hard to disable an account Hard to disable an account  IT Manager issue: Heterogeneous computer systems Heterogeneous computer systems

Single Sign On Goals  User Logon once to the Enterprise Logon once to the Enterprise Use few passwords, ideally one! Use few passwords, ideally one!  Administrator Create user account once Create user account once Assign access based on roles Assign access based on roles Manage accounts across systems Manage accounts across systems  Security administrator Define and verify security policies Define and verify security policies

 Integrated Kerberos v5 logon Key Distribution Center (KDC)  Protected store for public key credentials  Industry standard network security protocols Kerberos, SSL/TLS, others Windows NT Single Sign On  Single account store in Active Directory

PK Kerberos ProfileCerts Keys Internet Explorer  User profile for other keys and certificates Domain credentials  Obtain Kerberos TGT and NTLM credentials TGT Smart Card Logon  Private key and certificate on card  Public key domain authentication

Windows NT Single Sign On  Standards-based Distributed System Infrastructure  Well documented APIs for developers  Platform services used in applications  Integrated logon to strategic platforms  Integrated Windows NT authorization

File and Print Services Exchange SQL Server Internet Information Proxy Internet Remote Access Public network Your app HERE SNA Server Integrated Single Sign On Today

BackOffice Logo Program  Security requirements for client/ server applications  Core baseline requirements  Windows NT authentication NTLM for Windows NT 4.0 NTLM for Windows NT 4.0 Kerberos v5 for Windows NT 5.0 Kerberos v5 for Windows NT 5.0  Benefits Easier administration, stronger security Easier administration, stronger security Intranet ready! Intranet ready!

Secure Applications  Connection authentication Establish credentials Establish credentials Mutual authentication of client and server Mutual authentication of client and server  Secure communication Message privacy and integrity Message privacy and integrity  Impersonation and delegation Assuming client’s identity Assuming client’s identity  Authorization and auditing Using security descriptors Using security descriptors

Client Kerberos Security Package Server SSPISSPI Security Support Provider Interface  Application protocol carries all data  Kerberos SSP manages security context

Connection Authentication  Client side Acquire credentials Acquire credentials Default or alternate Default or alternate Initialize security context Initialize security context Initiate connection Initiate connection  Server side Acquire credentials Acquire credentials Default or alternate Default or alternate Accept client’s security context Accept client’s security context

Example: SSPI  Security package name “Kerberos” or “Negotiate” “Kerberos” or “Negotiate” Negotiate package will choose Kerberos Negotiate package will choose Kerberos  Authentication InitializeSecurityContext InitializeSecurityContext AcceptSecurityContext AcceptSecurityContext  Impersonation

Impersonation  Security contexts Access Token associated with processes and threads Access Token associated with processes and threads Primary Token Primary Token Client Token Client Token  Impersonation Accessing system resources on client’s behalf Accessing system resources on client’s behalf Access check and auditing on private resources Access check and auditing on private resources

Impersonation API  Using SSPI ImpersonateSecurity Context ImpersonateSecurity Context RevertSecurity Context RevertSecurity Context  Using RPC RpcImpersonateClient RpcImpersonateClient RpcRevertToSelf RpcRevertToSelf RpcRevertToSelfEx RpcRevertToSelfExSECURITY_STATUSImpersonateSecurityContext( PCtxtHandle phContext );SECURITY_STATUSRevertSecurityContext( );RPC_STATUSRpcImpersonateClient( RPC_BINDING_HANDLE pBinding );RPC_STATUSRpcRevertToSelf();

Impersonation API  Using DCOM IServerSecurity IServerSecurity CoImpersonate Client CoImpersonate Client CoRevertToSelf CoRevertToSelf  For HTTP, Internet Information Server impersonates the client ISAPI runs in the client’s context ISAPI runs in the client’s context HRESULTCoImpersonateClient()HRESULTCoRevertToSelf()HRESULT IServerSecurity :: ImpersonateClient() HRESULT IServerSecurity :: RevertToSelf()

Application DCOM security Authenticated RPC SSPI Kerberos SChannel Crypto API WinInet Public Key Application Where Does SSPI Fit In

Kerberos Authentication  Kerberos service uses Active Directory  Implemented by SSPI security provider  Mutual authentication  Supports 3-tier delegation  Windows NT access control  Standards-based interoperability

Windows NT Workstation Unix Server Windows NT KDC GSS-Kerb5 Token formats (RFC 1964) SSPI Kerberos SSP Application protocol GSS Kerberos mechanism GSS-API TICKET Cross-platform Strategy  Common Kerberos domain

Three-Tier Security Delegation  End-to-end user authentication  Application requires data from several sources  Flexibility to separate Web server from back-end data servers  Single user account Simplify user management Simplify user management  Access control through groups

SQL Server IIS Access Denied WWW-Authenticate: Negotiate 2. Ticket request to KDC 6. SQL Server impersonates original client, then data access 5. ASP uses ADO to query SQL, integrated security requests ticket 3. WWW-Authenticate: Negotiate 3. WWW-Authenticate: Negotiate ISAPI 4. IIS impersonates client, invokes ISAPI extension Server-A Server-B Example: Delegation in Action

Configuration Setup  Windows NT 5.0 with Kerberos protocol Internet Information Server Internet Information Server SQL Server ™ SQL Server ™  Client is Windows NT 5.0 or Windows ® 95/98 With Distributed Systems client update With Distributed Systems client update  Internet Information Server Virtual Directory uses “Windows NT Authentication”  SQL Server is using Integrated Security

Trusted For Delegation  Delegation means… Server can do anything on behalf of client Server can do anything on behalf of client Trusted not to run unauthorized services Trusted not to run unauthorized services Enabled on per-server basis Enabled on per-server basis  Enable on the computer object in Active Directory  Do not assume delegation is always enabled!

Windows NT Authorization  What is the client allowed to do?  Single sign on is not sufficient Centralize authorization through roles Centralize authorization through roles Windows NT group membership Windows NT group membership  Integrate authentication with server security model Windows NT object security model Windows NT object security model

SecureServer Client access request Impersonate Client Get object’s security descriptor Get client’s access token Perform access check Private Store Return response Encrypted Files Object Access Control

… // COM server impersonates client CoImpersonateClient(…); // Obtain private object security descriptor MyStatus = GetObjectSD(Object,…,&SD); // your own routine // Obtain client’s token Status = OpenThreadToken(…,&Token); // Perform Access Check Status = AccessCheck( SD, Token, DesiredAccess, GenericMapping, &PrivsUsed, &PrivLength, &GrantedAccess, &PrivsUsed, &PrivLength, &GrantedAccess, &Allowed); &Allowed); // Act as per the result if(Allowed) { …} AccessCheck

… // Impersonate client CoImpersonateClient(…); // Obtain private object security descriptor MyStatus = GetObjectSD(Object,…,&SD); // your own routine // Perform Access Check & Audit Status = AccessCheckAndAuditAlarm( L”YourServerName”, Object, L”ObjectTypeName”, L”ObjectName”, SD, DesiredAccess, GenericMapping, FALSE, &GrantedAccess, &Allowed, &OnClose); // Act as per the result if(Allowed) { …} AccessCheckAndAuditAlarm

User Account Management  One unified enterprise account image All account properties, extensible schema All account properties, extensible schema LDAP access, remote management LDAP access, remote management  Synchronize with other account stores Directory synchronization - LDAP, LDIF Directory synchronization - LDAP, LDIF Password change notification Password change notification  Authorization based on group membership for central access control Roles defined by group membership Roles defined by group membership

Single Sign On Summary  Comprehensive solution today Windows NT and BackOffice services Windows NT and BackOffice services Platform security services for applications Platform security services for applications  Cross-platform with industry standards Kerberos v5 and GSS token formats Kerberos v5 and GSS token formats X.509 v3 certificates with SSL/TLS X.509 v3 certificates with SSL/TLS  Familiar Windows NT security model extended to n-tier applications

Call To Action  Stop prompting for passwords! Use Windows NT distributed security Use Windows NT distributed security Use SSPI or DCOM/RPC security Use SSPI or DCOM/RPC security Use Windows NT access control Use Windows NT access control  Leverage industry standard protocols for cross-platform security  Depend on Active Directory for single user account store  Check out the Security Showcase!

More Information  SSPI SSPI Whitepaper on MSDN SSPI Whitepaper on MSDN Platform SDK: doc and samples Platform SDK: doc and samples \mssdk\samples\win32\winnt\security\sockauth \mssdk\samples\win32\winnt\security\sockauth  Kerberos v5 Distributed Security Services whitepaper Distributed Security Services whitepaper  BackOffice logo program  MSPress ® “Running Microsoft Internet Information Server” “Running Microsoft Internet Information Server”