Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.

Published byPeter Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010."— Presentation transcript:

1 Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010

2 About Speaker / Trainer Author

3 Agenda Understand how Kerberos works – Inside domain – Inside Forest (across multiple domains) – Across Forest Troubleshoot common Kerberos problems – What tools can we use

4 Kerberos / NTLM You can practically disable NTLM and with this „force“ Kerberos in your environment – With this you get higher security Before you do, if Kerberos fails it will fall back to NTLM You want to test Kerberos in your environment and see what breaks After you disable NTLM, Kerberos has nothing to fall back to – so you better make sure Kerberos is working and you know how to troubleshoot it

5 Kerberos / Authentication Service User AuthN. 1) KRB_AS_REQ 1a – User (PC) sends KRB_AS_REQ to DC. In the packet are: -User‘s name (e.g. Mike) -Service name (e.g. krbtgt/corp.krneki.net) that we wish Ticket Granting Service (TGS) for -Pre-Authentication that is derived from user account password (one way function is used to protect the password) 1b – KDC will check its DB generate and locate user account (Mike) It will check the pre-authentication data by using information on user account Mike in its own database - It will use same one way function. If DC gets same result this means that user entered correct password 1c – KDC generates packet for the client ….

6 Kerberos / Authentication Service User AuthN. 1) KRB_AS_REP 1c – KDC generates packet for the client …. In this packet there are: -New session logon keys encrypted with user account master key -Seconds copy of master key, authorization data in TGT. TGT is encrypted with KDC master key 1d – Client will decrypt its session key using its own master key and will store the session key in cache It will also cache extracted TGT

7 Kerberos / AS Network Trace User Account

8 Kerberos / AS Network Trace Computer Account

9 Kerberos / TGS User AuthN. 1) KRB_TGS_REQ 2a - User sends KRB_TGS_REQ to DC. In the packet are: -Service that user would like to access (including server name) -Authenticator encrypted with user‘s session key (in cache from previous steps) -TGT from previous steps 2b – KDC decrypts TGT with its own master key (remember that TGT was encrypted with KDC master key) It will also extract user‘s session key. Session key is used to decrypt user authenticator and authenticator is validated At this stage new session key is created and will be used to access the service 2c – KDC generates packet for the client …. New session key from 2b is -Session key encrypted with Mike logon session key -Session key encrypted with server$ using server$ master key 1) KRB_TGS_REP

10 Kerberos / TGS

11 Kerberos / Client Server Exchange User Authentication 1) KRB_AP_REQ 2a - PC sends KRB_AP_REQ to DC. In the packet are: -Authenticator encrypted with session key of DC/Server$ -Ticket for session with DC$ encrypted with DC‘s$ master key 1) KRB_AP_REP

12 Client to server User Authentication to another server We already have AS 1a KRB_TGS_REQ 1a - PC sends KRB_TGS_REQ to DC. In the packet are: -What service and server we want to connect to (e.g. ldap/server1.corp.krneki.net) -Authenticator -TGT that we already have 1b KRB_TGS_REP Server1.corp.krneki.net 1b – DC receives the TGS_REQ -DC will decrypt the TGT with its master key -It will create new session key for Server1 -It will generate new packet -One session key is protected with session key of Administrator - Copy of session key is protected with Server1 master key

13 Client to server User Authentication to another server We already have AS 1a KRB_TGS_REQ 2a – We are ready to talk to Server1. We send KRB_AP_REQ packet and in the packet are: -Authenticator protected with Server1 session key -Ticket that we received from DC for Server1 that is protected with Server1 master key 2b KRB_AP_REP 1b KRB_TGS_REP 2a KRB_AP_REQ Server1.corp.krneki.net 2b – Server1 will decrypt the session key with its own master key. It will extract the authenticator. If everything is OK it will sends back KRB_AP_REP

14 Client to server If we want to connect to another server (Server2) we have to repeat the whole KRB_REQ_TGS and KRB_AP_REQ procedure

15 SPN / Service Principal Name Very important component of Kerberos

16 SPN / Service Principal Name (cont). Very often source of Kerberos problems – Missing SPNs – SPNs registered on wrong objects – Multiple objects sharing same SPN Tools that we can use to troubleshoot are – setspn.exe setspn –x (looks for double SPNs) can also register SPNs on object – ADSIEdit, LDP, …

17 SPN / Service Principal Name (cont). SPNMappings

18 SPN / Service Principal Name (cont). SetSPN.exe setspn -A MSSQLSvc/server1.corp.krneki.net:1433 CORPDC1

19 Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net If IIS is running as Network Service SPN must be registered on computer account http://intranet.corp.krneki.net http://intranet sqlcl1.corp.krneki.net

20 Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net IIS server needs to talk to SQL -It need to authenticate to DC -It must find SQL SPN! http://intranet.corp.krneki.net http://intranet KRB_TGS_REQ MSSQLSvc/server7.corp.krneki. net:1433 DC must find this SPN! sqlcl1.corp.krneki.net

21 Common scenarios and problems User to Web Server, Web Server to SQL DB 1)KRB_TGS_REQ http/intranet.corp.krneki.net DC must find this SPN! dc1.corp.krneki.net intranet.corp.krneki.net Server1.corp.krneki.net If IIS is running with custom account SPN http/intranet… must be registered on this custom account! http://intranet.corp.krneki.net http://intranet sqlcl1.corp.krneki.net If SQL is running under dedicated account SPN must be registered under this account

22 Common scenarios and problems If you change from Computer account or Network Service to custom account in your environment, don‘t forget to: – Remove SPN names from Computer Account – Add SPN to custom service Always remember, there can be only one ;-) – SPN name can be registered to only one object at the time – You can use SetSPN –x to test your environment and find all double SPNs

23 Common scenarios and problems Easiest way to troubleshoot Client – Web - SQL Use Network Monitor – Install Network Monitor on the client and see what SPN the client is sending for e.g. web server Make sure that that SPN is registered on CORRECT object – Install network monitor on web server and see what SPN web server is using to address the SQL Make sure that that SPN is registered on CORRECT object

24 Across Domain and Forest When client specifies where it wants to connect (specifies SPN) DC will look in its database for that SPN. If it can‘t find it in its local domain it will query GC (Global Catalog) if this SPN exists in the forest. If it exists in the forest it will send the client a referral to the domain controller in another domain…

25 Across Domain and Forest If we have Forest Trust, DC will check TDO (Trusted Domain Object) TDO contains information trusting forest – Gives information about „routing“ requests to other domains or forests Domain suffixes – Information is stored and replicated to Global Catalogs in the forest

26 Group Policies and Kerberos Default settings defining Kerberos – Service ticket by default valid for 10 hours – User ticket by default valid for 10 hours

27 Group Policies and Kerberos Forest search order – Windows 7 and Windows Server 2008 R2

28 Summary Before you switch to pure Kerberos, make sure it is working and it is not falling back to NTLM Pay attention to SPNs or Kerberos will not work! Easiest way to troubleshoot is to use Network Monitor

29 Q&A miha.pihler@telnet.si

Download ppt "Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Windows Server 2003 建立網域間之信任關係

Windows Server 2003 建立網域間之信任關係
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Kerberos Authenticating Over an Insecure Network.

Kerberos Authenticating Over an Insecure Network.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Radius Security Extensions using Kerberos V5 draft-kaushik-radius-sec-ext.

Radius Security Extensions using Kerberos V5 draft-kaushik-radius-sec-ext.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

Similar presentations

Ads by Google