Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah
MyProxy: A Multi-Purpose Grid Authentication Service
Planning a Public Key Infrastructure
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
UNIX & W2K A single sign-on solution for a Kerberos V based AFS cell Enrico M.V. Fasanelli & Fulvio Ricciardi I.N.F.N. – Sezione di Lecce.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Password?. Project CLASP: Common Login and Access rights across Services Plan
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
The Central Authentication Service (CAS) Shawn Bayern Research programmer, Yale University Author, JSTL in Action, Web Development with JavaServer Pages.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Designing Active Directory for Security
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
USCGrid A (Very Quick) Introduction To PubCookie
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
W2K and Kerberos at FNAL Jack Mark
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Single Sign-On
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Windows 2000 Certificate Authority By Saunders Roesser.
Module 11: Securing a Microsoft ASP.NET Web Application.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
UMBC’s WebAuth Robert Banz – UMBC
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Creating and Managing Digital Certificates Chapter Eleven.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Secure Connected Infrastructure
Grid Security.
Data and Applications Security Developments and Directions
Radius, LDAP, Radius used in Authenticating Users
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Presentation transcript:

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004

Outline Motivation and goals Motivation and goals Tools Tools Single sign-on Single sign-on Impersonation: Mapping certificates to accounts Impersonation: Mapping certificates to accounts Providing certificates to users Providing certificates to users Issues and actual status Issues and actual status Summary and conclusions Summary and conclusions

Motivation The environment: The environment: Services offered through web Services offered through web Applications using web servers as user interface Applications using web servers as user interface Clients on both Windows and Unix platforms Clients on both Windows and Unix platforms What we want (and what the users ask for): What we want (and what the users ask for): Authentication mechanism valid across platforms Authentication mechanism valid across platforms Single sign-on Single sign-on

Goal Letting users access authorized resources… Letting users access authorized resources… Restricted web pages Restricted web pages Web-based services (mail, …) Web-based services (mail, …) …without re-typing usernames and passwords (single sign-on) …without re-typing usernames and passwords (single sign-on)

Tools Two different technologies Two different technologies Kerberos Kerberos Well-known for certain applications Well-known for certain applications “Supported” by modern operating systems “Supported” by modern operating systems PKI/Certificates PKI/Certificates Widely spread Widely spread Portability across platforms Portability across platforms

Tools The drawbacks… The drawbacks… Kerberos Kerberos Incompatible extensions Incompatible extensions Few “kerberized” applications Few “kerberized” applications So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism. So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism.

Single Sign-on CERN users have accounts in both Unix and Windows environments CERN users have accounts in both Unix and Windows environments Services are not replicated in both systems Services are not replicated in both systems Logon and Authentication mechanisms are different Logon and Authentication mechanisms are different A user must type his/her credentials again and again A user must type his/her credentials again and again Can the PKI/Certificates help? Can the PKI/Certificates help?

Single Sign-on: basic web access PKI/Certificates can be used to protect access to web pages PKI/Certificates can be used to protect access to web pages They provide portable authentication and access control They provide portable authentication and access control Available for both Apache and IIS servers Available for both Apache and IIS servers … But this is mainly local access … But this is mainly local access What happens if the server needs to access remote data? What happens if the server needs to access remote data?

Single sign-on We must provide the user with a valid PKI/Certificate We must trust the web server It will impersonate the user! Web Server User Services

Impersonation in IIS Based on the Windows Identity Mapping mechanism Based on the Windows Identity Mapping mechanism Maps a certificate to a specific account Maps a certificate to a specific account The identity mapping can be managed at two different places: The identity mapping can be managed at two different places: The IIS server itself The IIS server itself The Active Directory The Active Directory

IIS mapping Specific to a web site Specific to a web site Flexible many-to-one mapping rules Flexible many-to-one mapping rules Based on issuer and subject of the certificate Based on issuer and subject of the certificate Provides a ticket valid for delegation Provides a ticket valid for delegation I.e. remote resources can be accessed I.e. remote resources can be accessed Username and password must be provided when setting the mapping Username and password must be provided when setting the mapping but they are not kept synchronized with windows accounts! but they are not kept synchronized with windows accounts!

AD mapping Common for all web sites in the domain Common for all web sites in the domain Limited many-to-one mapping Limited many-to-one mapping There is a single account for all the certificates coming from the same issuer CA There is a single account for all the certificates coming from the same issuer CA One-to-one mapping is the most convenient One-to-one mapping is the most convenient Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0 Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0

AD mapping (II) Two flavors: manual and automatic Two flavors: manual and automatic In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field No explicit mapping is needed No explicit mapping is needed Originally designed for smart cards Originally designed for smart cards

Impersonation in Apache Impersonation via Kerberos ticket Impersonation via Kerberos ticket Uses extra software: Kerberos leveraged PKI Uses extra software: Kerberos leveraged PKI KCT (Kerberos Certificate Translation) KCT (Kerberos Certificate Translation) Mod_KCT (Apache module) Mod_KCT (Apache module) Procedure: Procedure: The user sends a PKI/Certificate (obtained through the KCA) to Apache The user sends a PKI/Certificate (obtained through the KCA) to Apache Apache uses KCT to recover the user’s Kerberos ticket Apache uses KCT to recover the user’s Kerberos ticket Apache uses the ticket to access user’s remote resources Apache uses the ticket to access user’s remote resources

Providing certificates to users There is a risk of users not taking care of their certificates… There is a risk of users not taking care of their certificates… It should be a transparent mechanism It should be a transparent mechanism It should be easy It should be easy It should be secure It should be secure Both Unix and Windows users receive a Kerberos ticket during logon Both Unix and Windows users receive a Kerberos ticket during logon We can issue a PKI/Certificate for a Kerberos ticket We can issue a PKI/Certificate for a Kerberos ticket

Providing certificates to Users Kerberos Leveraged PKI Kerberos Leveraged PKI Credentia l Cache Login KDC KCA Browser LibPKCS11 Web Server

Providing certificates to users KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA clients are available for Unix and Windows KCA clients are available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows We have short term certificates We have short term certificates

Issues: certificate restrictions The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. subjectAltName subjectAltName cRLDistributionPoint cRLDistributionPoint keyUsage keyUsage extendedKeyUsage extendedKeyUsage Expiration date properly set Expiration date properly set Possible CAs: Possible CAs: Microsoft recommends MS Enterprise CA Microsoft recommends MS Enterprise CA Entrust CA also works Entrust CA also works … We used OpenSSL… … We used OpenSSL…

Issues: server side CA restrictions It is possible to use a non-MS CA with an IIS server, but… It is possible to use a non-MS CA with an IIS server, but… … it should behave as Microsoft’s one … it should behave as Microsoft’s one The CA certificate must be added to the NTAuth store in the registry… manually. The CA certificate must be added to the NTAuth store in the registry… manually. It should create the same AD entries and fill them properly It should create the same AD entries and fill them properly Certificates and CRLs must be published in the AD Certificates and CRLs must be published in the AD

Issues: web applications Lack of integration between the authentication mechanisms for the web servers and the applications behind them Lack of integration between the authentication mechanisms for the web servers and the applications behind them First, authenticate with the web server… First, authenticate with the web server… Then, authenticate again with the application! Then, authenticate again with the application! E.g. some web mail applications… E.g. some web mail applications… Despite the necessary security infrastructure being there, some applications keep Despite the necessary security infrastructure being there, some applications keep Using their own security mechanisms Using their own security mechanisms … or using it only “internally”. … or using it only “internally”.

Status Linu x Box Windows 2000 KDC Linux KCA OpenSSL CA Web Browser (Mozilla) Lib PKCS11 Windows 2003 IIS 6.0 AD Resources Certificate Template Win Box MS CA? Unix Apache Mod_KCT KCT MIT KDC

Summary and conclusions In theory, it is possible to achieve cross-platform single sign-on In theory, it is possible to achieve cross-platform single sign-on But full functionality has issues… But full functionality has issues… Lots of components involved (KDC, KCA, AD…) Lots of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements) Compatibility (not fully documented requirements) Intrinsic limitations Intrinsic limitations Extensions not present in the KCA certificates Extensions not present in the KCA certificates Integration between applications and servers Integration between applications and servers

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.