1. 1 Audit-Enhanced Authentication in Kerberos Shuo Chen, Daniel R. Simon (mentor) (Shuo’s Internship Project in Microsoft Research) 9/15/2003 CRHC UIUC

2. 2 Authentication Protocols of Windows  Before Win2k, NTLM is the only authentication protocol provided by Windows.  Starting from Win2k (including WinXP, Win2k3), NTLM and Kerberos are provided. Kerberos is the default one.  We are using Kerberos almost every day.

3. 3 Kerberos Key Distribution Center (KDC) Windows Domain Controller ClientServer request Service ticket

4. 4 What’s the Problem? User 1 User 2 User n Internet Information Service (IIS) SQL Server SQL server is not able to make decisions (e.g., accept or reject) for individual users. It is hard to audit security events, because each machine maintains its event log independently. No easy way to correlate events across machines. I’m User 1. I’m User 2. I’m User n. I’m IIS.

5. 5 Audit-Enhanced Authentication User 1 User 2 User n Internet Information Service (IIS) SQL Server Key technique: to provide a channel allowing the extra info to be passed through multiple tiers, so that all processes and threads involved in handling the transaction are aware of this extra info. This technique is transparent to applications, i.e., all work is done in authentication level and the kernel level, no modifications on application source code. I’m User 1. TID:312 I’m User 2. TID: 23 I’m User n. TID: 59 I’m IIS servicing transaction 312 on behalf of User 1.

6. 6 Design and Implementation  Modification of WinNT kernel: –In WinNT, each process/thread is associated with an access token. We extend this data structure to store the extra info; (A token is duplicated when a thread/process is created.) –Provide kernel services allowing a thread/process to set and query the extra info on its own token.  Modifications of Kerberos.dll –When the client marshals a service ticket, get the extra info from the token and embed it in the ticket –When the server unmarshals a service ticket, get the extra info from the ticket and set it in the token.

7. 7 Modified Procedure of Kerberos Client Process NT Kernel Security Subsystem Kerberos KDC Server Process NT Kernel Security Subsystem Kerberos 1 34 5 7 8 9 116 2 10 Primary Token Impersonation Token

8. 8 A Demo in COTS Applications  After validating the technique with our toy application, we built a demo with a real setting. SQL server Internet Explorer (IE) Client Machine ASP.NET web app Font-End Stored procedure GetTokenInfo Back-End IE_Launcher.exe Internet Information Service (IIS) IE_Launcher (char * msg) { SetTokenInfo(TokenExtraInfo,msg); CreateProcess(“IEXPLORER”); } CREATE PROCEDURE dbo.GetTokenInfo As exec QueryMyToken.exe GO QueryMyToken () { QueryTokenInfo (TokenExtraInfo,msg); printf (msg); } QueryMyToken.exe

9. 9 It works!

10. 10 Other Impacts  Besides audit-enhanced authentication, our technique may be useful in other areas, such as event tracing for performance evaluation and trouble-shooting of distributed applications. –The research team of Strider trouble-shooting tool is using our technique to pass transaction ID to correlate event log entries for trouble-shooting purposes. –A product team (NT Base Performance Team) asked me to give a demo. They are working on event-tracing.