Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

Published byWendy Palmer Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation."— Presentation transcript:

1 Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation

2 Topics  Multiple account logon strategies  Single account logon with Kerberos v5 interoperability  Secure three-tier cross platform applications

3 Single Sign-On Problem  Multiple authentication authorities Users have multiple logons and passwords Users have multiple logons and passwords  Admin functions for management and synchronization  Better to have a single account domain!

4 Logon Strategies  Accommodating multiple logons Custom GINA Custom GINA Network Provider Network Provider Credential Manager/ Authentication Package Credential Manager/ Authentication Package  Single account domain Public Key Infrastructure Public Key Infrastructure Kerberos v5 Kerberos v5

5 Winlogon GINA NP NP Extendable Winlogon Architecture  Winlogon  Graphical Identification and Authentication (GINA) DLL  Customize for integrated multi -logon capability  Network providers

6 Anatomy Of A Network Provider  Credential Manager sub-set (APIs) LogonNotify LogonNotify PasswordChangeNotify PasswordChangeNotify  Authentication package LogonTerminated LogonTerminated

7 Example: Network Provider  Code walk-through of a simple Credential Manager

8 Issues With Multiple Accounts  Passwords need to stay in sync  Need to manage each account separately  Still need to be careful about passwords in the clear  Better to have a single account domain

9 SSPI Kerberos SSP Application protocol Windows NT5 Workstation Application protocol GSS Kerberos mechanism GSS-API Unix Server Windows NT5 KDC TICKET Single Account Domain  Common cross-platform Kerberos v5 domain

10 Kerberos v5 Interop Goals  Cross-platform protocol interoperability Authentication Authentication Message integrity (sign/verify) Message integrity (sign/verify) Confidentiality (seal/unseal) Confidentiality (seal/unseal)  Single user account store Scalability and ease of administration Scalability and ease of administration  Use existing authorization mechanisms Name-based authorization Name-based authorization Integrated Windows NT ® authorization Integrated Windows NT ® authorization

11 Cross-Platform Interop  Based on Kerberos v5 protocol RFC 1510 and RFC 1964 token format RFC 1510 and RFC 1964 token format  Windows NT hosts the KDC UNIX clients to Unix Servers UNIX clients to Unix Servers UNIX clients to NT Servers UNIX clients to NT Servers NT clients to UNIX Servers NT clients to UNIX Servers  Simple cross-realm authentication UNIX realm to NT domain UNIX realm to NT domain  Not DCE compatible

12 SSPI And GSSAPI  Security Support Provider Interface Microsoft ® Win32 ® API Microsoft ® Win32 ® API  Generic Security Service - API IETF RFC-1509 IETF RFC-1509 Kerberos mechanism type RFC-1964 Kerberos mechanism type RFC-1964  SSPI is semantically similar to GSS-API  Another alternative: native Krb5 AP requests

13 Get outbound credentials credentials AcquireCredentialsHandle Get authn token token InitializeSecurityContext ConstructMessage Wait for Reply Receive Parse Reply Msg Connection Established ContinueNeeded? Send Get inbound credentials credentials Gss_import_name Listen for requests Gss_accept_sec_context Receive Parse Reply Msg ConstructMessage Send ContinueNeeded? Connection Established Gss_acquire_cred SSPI Client To GSS Server

14 Example: Windows NT Client Code  Time for a code walk-through; this time the client

15 Example: Unix Server Code  Now the server

16 Demo: Simple Client Server  Demo a cross platform secure application using Windows NT user credentials

17 Windows NT User Authentication  Windows NT logon obtains credentials Creates initial TGT to domain Creates initial TGT to domain Klist tickets Klist tickets Cached Tickets: Cached Tickets: Server: krbtgt@NTDEV.MICROSOFT.COM Server: krbtgt@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32 End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Server: krbtgt/MIT.NTDEV. MICROSOFT.COM@NTDEV.MICROSOFT.COM Server: krbtgt/MIT.NTDEV. MICROSOFT.COM@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32 End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Server: NTDSDC1$@NTDEV.MICROSOFT.COM Server: NTDSDC1$@NTDEV.MICROSOFT.COM End Time: 10/11/1998 20:05:32 End Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32 Renew Time: 10/11/1998 20:05:32

18 Completing The Example  Things to add for a real product Data integrity Data integrity Data privacy Data privacy Using authenticated identity for authorization Using authenticated identity for authorization  Differences between the international and domestic versions of Windows NT 5.0

19 Http://server/service.dll Internet Explorer Internet Information Server Unix back-end server IIS Extension SSPI/Krb AppService GSS/Krb IE5 SSPI/KrbHTTPTCP User: NTDEV\joeb Three-Tier Cross Platform Applications

20 Demo: 3-Tier Application CyberSafe Corporation  Cross Platform Security Solutions Unix, Windows, Tandem, MVS Unix, Windows, Tandem, MVS Clients, Servers, Developer Toolkits Clients, Servers, Developer Toolkits  Security Expertise Co-authors of Kerberos, PKINIT, PKCROSS, other standards within the IETF Co-authors of Kerberos, PKINIT, PKCROSS, other standards within the IETF Professional Services - Security Impact Analysis, Security Architecture, Education/Training Professional Services - Security Impact Analysis, Security Architecture, Education/Training WWW.CYBERSAFE.COM

21 Summary  Network Providers can unify a multiple logon  Reserve the use of a GINA for more complex logon scenarios  A Single Account domain using integrated Kerberos v5  Kerberos authentication + delegation = secure three-tier applications

22 Call To Action  Use Kerberos v5 as your cross-platform authentication mechanism  Use the SSPI and GSSAPI as your cross-platform development security interfaces  Use Network Providers to unify multiple logons

23 For More Information  Whitepapers Microsoft Windows NT Distributed Security Services Microsoft Windows NT Distributed Security Services Microsoft Windows NT Security Support Provider Interface Microsoft Windows NT Security Support Provider Interface http://www.microsoft.com/ntserver http://www.microsoft.com/ntserver http://www.microsoft.com/security http://www.microsoft.com/security  Windows NT 5.0 Beta2 Walkthroughs http://ntbeta.microsoft.com http://ntbeta.microsoft.com MIT Kerberos 5 Interoperability MIT Kerberos 5 Interoperability  Kerberos for Unix CyberSafe - http://www.cybersafe.com CyberSafe - http://www.cybersafe.com

24

Download ppt "Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation."

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Authentication & Kerberos

Authentication & Kerberos
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.

Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.

Similar presentations

Ads by Google