Presentation is loading. Please wait.

Presentation is loading. Please wait.

WSV320. Welcome to Atlanta, all y’all Gotta visit the Cyclorama Visit the WHAT??? This should be a 4 hour presentation… Buckle your seat belts! We talk.

Published byChristina Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "WSV320. Welcome to Atlanta, all y’all Gotta visit the Cyclorama Visit the WHAT??? This should be a 4 hour presentation… Buckle your seat belts! We talk."— Presentation transcript:

1 WSV320

2 Welcome to Atlanta, all y’all Gotta visit the Cyclorama Visit the WHAT??? This should be a 4 hour presentation… Buckle your seat belts! We talk fast and don’t wait for stragglers! Session is recorded

3

4

5 Client Service Trusted 3 rd Party Cerberus

6 DB Authentication Service (AS) Ticket Granting Service (TGS) Application Server/Services (AP) Krb_AS_REQ AS_REP TGS_REQ TGS_REP AP_REQ AP_REP optional Caroline Tyler Jack Caroline TGT TGT Service Ticket Domain Controller/KDC

7 DB Caroline Tyler Jack ASAS Caroline Request for TGT Here’s the ticket if you prove who you are TGT

8 Ticket Granting Service (TGS) Application Server/Services TGS_REQ TGS_REP AP_REQ TGT Service Ticket

9 Authenticator Created AP_REQ Client sends AP_Req Application Server User Principal Timestamp Client timestamp compared to server time – must be within 5 min (default) Replay Cache – AS_REQ Time must be earlier or same as previous authenticator Pre-Authentication uses an authenticator (Kerberos v5) default in Windows AD. Can be disabled Session key (user) Service Ticket AP_REQ Authenticator Service shared secret Session key (user)

10 User accesses resources for lifetime of ticket Tickets CAN be renewable 10 hrs (group policy) Service Ticket Access Services KDC

11

12 Windows Active Directory KDC= AS + TGS + DB Windows Domain Controller 2. Locate KDC for domain by DNS lookup for AD service 4.Group membership expanded by KDC, added to TGT auth data (PAC) and returned to client via AS_RESP TGT 5.Send TGS requests for session ticket to workstation*** 3.AS request sent (twice, actually – remember pre- authentication default in Windows ) AS_REQ Username Password domain Username Password domain 1. Type in username,password,domain

13 Windows Active Directory Key Distribution Center (KDC) Windows Domain Controller Application Server (target) 3.Verifies service ticket issued by KDC 2.Present service ticket at connection setup Ticket 1.Send TGT and get service ticket from KDC for target server TGT Ticket \\server\sharename

14 Windows Client Windows Server AMS.Corp.netEMEA.Corp.net Corp.Net KDC 1 TGT (AMS) 2 TGT(EMEA) 3TGT(EMEA) 4TICKET AppSrv1.EMEA.Corp.net TICKET

15

16 Generic client Windows Server COMPANY.REALM AD.Corp.net MIT KDC Windows KDC 1 TGT 2 R-TGT Possibly Service Name Mapping to Windows account 5 TICKET 4 TICKET R-TGT 3

17

18 Unix/Linux Client Windows Application Server W2k8.company.com Windows KDC 4 TICKET 2 TGT Krb5.conf Kerberos client 1 TGT PAC? 3 TICKET

19 W2K8.company.com Windows KDC Windows Client TGT TICKET With Windows Auth Data (PAC) Linux Application Server (e.g. Samba) Krb5.conf Krb5.keytab Kerberos client MS aware service Other stuff… Computer account Computer account Shared secret

20

21 The keytab file

22

23

24 Troubleshooting Example: KRB_ERROR_UNKNOWN_PRINCIPAL_NAME Steps taken on the HP-UX system: # kinit administrator Password for administrator@W2K8R2SA.DON.MCCALL: # smbclient //gwendlyn/tmp -k cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE # grep “matched keytab principals” /var/opt/samba/log.16.113.26.218 [2011/04/13 11:21:38, 3] ads_keytab_verify_ticket: krb5_rd_req failed for all matched keytab principals

25 Troubleshooting Demo: KRB_ERROR_UNKNOWN_PRINCIPAL_NAME Break here for Network trace analysis What we’re looking for in the trace: - Kerberos: TGS Response Cname: administrator + Length: Length = 1588 - TgsRep: Kerberos TGS Response + ApplicationTag: - KdcRep: KRB_TGS_REP (13) + SequenceHeader: + Tag0: + PvNo: 5 + Tag1: + MsgType: KRB_TGS_REP (13) + Tag3: + Crealm: W2K8R2SA.DON.MCCALL + Tag4: + Cname: administrator + Tag5: - Ticket: Realm: W2K8R2SA.DON.MCCALL, Sname: cifs/gwendlyn.w2k8r2sa.don.mccall

26

27

28

29

30

31

32 PDC Emulator DC WorkstationServer Can sync with any DC in own domain Sync with PDC in parent domain External NTP Time Source

33

34

35

36

37

38 C:\>w32tm /monitor /domain:wtec WTEC-DC1.Wtec.adapps.hp.com *** PDC *** [16.113.26.95]: ICMP: 171ms delay. NTP: +0.0000000s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: atl-resolver.americas.hp.net [15.227.128.51] WTEC-DC2.Wtec.adapps.hp.com [16.56.172.105]: ICMP: 0ms delay. NTP: -0.0227096s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] WTEC-DC3.Wtec.adapps.hp.com [15.31.56.61]: ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms NTP: error ERROR_TIMEOUT - no response from server in 1000m mccall.Wtec.adapps.hp.com [16.113.9.141]: ICMP: 170ms delay. NTP: +9.1344128s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] wtec-dc4.Wtec.adapps.hp.com [16.144.206.141]: ICMP: 361ms delay. NTP: +9.1279869s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] gse-exch3.Wtec.adapps.hp.com [16.25.249.129]: ICMP: 24ms delay. NTP: +9.1188723s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] C:\>w32tm /monitor /domain:wtec WTEC-DC1.Wtec.adapps.hp.com *** PDC *** [16.113.26.95]: ICMP: 171ms delay. NTP: +0.0000000s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: forwarders.americas.hp.net [15.227.128.51] WTEC-DC2.Wtec.adapps.hp.com [16.56.172.105]: ICMP: 0ms delay. NTP: +0.0068319s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] WTEC-DC3.Wtec.adapps.hp.com [15.31.56.61]: ICMP: 224ms delay. NTP: +0.0264724s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] mccall.Wtec.adapps.hp.com [16.113.9.141]: ICMP: 170ms delay. NTP: +0.0115832s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] wtec-dc4.Wtec.adapps.hp.com [16.144.206.141]: ICMP: 361ms delay. NTP: -0.0362574s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] gse-exch3.Wtec.adapps.hp.com [16.25.249.129]: ICMP: 24ms delay. NTP: +0.0063204s offset from WTEC-DC1.Wtec.adapps.hp.com RefID: WTEC-DC1.Wtec.adapps.hp.com [16.113.26.95] Time skew compared to DC1 = 9.13 sec. W32tm /-resync W32tm /config /SyncFromFlags:WTEC NTP Synchronizes time (over period of time)

39

40 Basic Commands C:>Logman query providers (find provider pertaining to what you want to do) C:> logman create trace “LDAP1" -p "active directory: core" -o c:\etw\LDAP1 C:>logman query C:>Logman Start LDAP1 Reproduce the search, bind, etc C:>Logman Stop LDAP1 Creates LDAP1_00001.etl Create report: tracerpt LDAP1_000001.etl -of csv -o Ldap1.csv -of sets file type (default = xml) -o = output file name default is dumpfile.csv. Produces the most interesting dump of ldap activity -Summary, -Report – statistical data Run the trace with multiple providers Logman Create Trace CoreKerb –pf c:\etw\coreKerb.txt –o c:\Etw\CoreKerb Then create the “coreKerb.txt” input file with provider names in quotes on a single line (for Windows 2008): “Active Directory Domain Services: Core””Active Directory: Kerberos KDC” Windows 2003 providers have different names.. Reuse the traces – Logman Query lists them

41

42

43

44 www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

45

46 Scan the Tag to evaluate this session now on myTechEd Mobile

47

48

Download ppt "WSV320. Welcome to Atlanta, all y’all Gotta visit the Cyclorama Visit the WHAT??? This should be a 4 hour presentation… Buckle your seat belts! We talk."

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
SCSC 455 Computer Security

SCSC 455 Computer Security
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Gary Olsen Solution Architect Hewlett-Packard Company Level: Intermediate Understanding and Troubleshooting the Kerberos Protocol for.

Gary Olsen Solution Architect Hewlett-Packard Company Level: Intermediate Understanding and Troubleshooting the Kerberos Protocol for.
WSV405. IPv6 Ready Logo Program www.ipv6ready.org.

WSV405. IPv6 Ready Logo Program
SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,

SIM303. “ The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically,
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
SIM201. Announcing… copyright chappellseminars.com some hosts comply; RST = closed no = response open some hosts comply; RST = closed no = response.

SIM201. Announcing… copyright chappellseminars.com some hosts comply; RST = closed no = response open some hosts comply; RST = closed no = response.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
WSV304 Manual Deployment High cost Fully Automated Low cost.

WSV304 Manual Deployment High cost Fully Automated Low cost.
OSP303. demo Status Bar Notification.

OSP303. demo Status Bar Notification.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
VIR302. Tech Review Review the components of the App-V Management Server infrastructure Key Considerations Discuss the specific factors that affect.

VIR302. Tech Review Review the components of the App-V Management Server infrastructure Key Considerations Discuss the specific factors that affect.
SIM344. 2 Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.

SIM Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.

Similar presentations

Ads by Google