Download presentation
Presentation is loading. Please wait.
Published byColin Neal Modified over 9 years ago
1
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004
2
Outline Motivation and goals Motivation and goals Tools Tools Single sign-on Single sign-on Impersonation: Mapping certificates to accounts Impersonation: Mapping certificates to accounts Providing certificates to users Providing certificates to users Issues and actual status Issues and actual status Summary and conclusions Summary and conclusions
3
Motivation The environment: The environment: Services offered through web Services offered through web Applications using web servers as user interface Applications using web servers as user interface Clients on both Windows and Unix platforms Clients on both Windows and Unix platforms What we want (and what the users ask for): What we want (and what the users ask for): Authentication mechanism valid across platforms Authentication mechanism valid across platforms Single sign-on Single sign-on
4
Goal Letting users access authorized resources… Letting users access authorized resources… Restricted web pages Restricted web pages Web-based services (mail, …) Web-based services (mail, …) …without re-typing usernames and passwords (single sign-on) …without re-typing usernames and passwords (single sign-on)
5
Tools Two different technologies Two different technologies Kerberos Kerberos Well-known for certain applications Well-known for certain applications “Supported” by modern operating systems “Supported” by modern operating systems PKI/Certificates PKI/Certificates Widely spread Widely spread Portability across platforms Portability across platforms
6
Tools The drawbacks… The drawbacks… Kerberos Kerberos Incompatible extensions Incompatible extensions Few “kerberized” applications Few “kerberized” applications So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism. So, we decided to try PKI/Certificates as a base for a Single Sign-On mechanism.
7
Single Sign-on CERN users have accounts in both Unix and Windows environments CERN users have accounts in both Unix and Windows environments Services are not replicated in both systems Services are not replicated in both systems Logon and Authentication mechanisms are different Logon and Authentication mechanisms are different A user must type his/her credentials again and again A user must type his/her credentials again and again Can the PKI/Certificates help? Can the PKI/Certificates help?
8
Single Sign-on: basic web access PKI/Certificates can be used to protect access to web pages PKI/Certificates can be used to protect access to web pages They provide portable authentication and access control They provide portable authentication and access control Available for both Apache and IIS servers Available for both Apache and IIS servers … But this is mainly local access … But this is mainly local access What happens if the server needs to access remote data? What happens if the server needs to access remote data?
9
Single sign-on We must provide the user with a valid PKI/Certificate We must trust the web server It will impersonate the user! Web Server User Services
10
Impersonation in IIS Based on the Windows Identity Mapping mechanism Based on the Windows Identity Mapping mechanism Maps a certificate to a specific account Maps a certificate to a specific account The identity mapping can be managed at two different places: The identity mapping can be managed at two different places: The IIS server itself The IIS server itself The Active Directory The Active Directory
11
IIS mapping Specific to a web site Specific to a web site Flexible many-to-one mapping rules Flexible many-to-one mapping rules Based on issuer and subject of the certificate Based on issuer and subject of the certificate Provides a ticket valid for delegation Provides a ticket valid for delegation I.e. remote resources can be accessed I.e. remote resources can be accessed Username and password must be provided when setting the mapping Username and password must be provided when setting the mapping but they are not kept synchronized with windows accounts! but they are not kept synchronized with windows accounts!
12
AD mapping Common for all web sites in the domain Common for all web sites in the domain Limited many-to-one mapping Limited many-to-one mapping There is a single account for all the certificates coming from the same issuer CA There is a single account for all the certificates coming from the same issuer CA One-to-one mapping is the most convenient One-to-one mapping is the most convenient Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0 Provides a ticket valid for delegation since Windows.NET Server/IIS 6.0
13
AD mapping (II) Two flavors: manual and automatic Two flavors: manual and automatic In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In manual mapping, the administrator must specify which certificate maps into which account (can be done programmatically) In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field In automatic mapping, the certificate must contain an extension (subjectAltName), with the User Principal Name (UPN) of the account in the otherName field No explicit mapping is needed No explicit mapping is needed Originally designed for smart cards Originally designed for smart cards
14
Impersonation in Apache Impersonation via Kerberos ticket Impersonation via Kerberos ticket Uses extra software: Kerberos leveraged PKI Uses extra software: Kerberos leveraged PKI KCT (Kerberos Certificate Translation) KCT (Kerberos Certificate Translation) Mod_KCT (Apache module) Mod_KCT (Apache module) Procedure: Procedure: The user sends a PKI/Certificate (obtained through the KCA) to Apache The user sends a PKI/Certificate (obtained through the KCA) to Apache Apache uses KCT to recover the user’s Kerberos ticket Apache uses KCT to recover the user’s Kerberos ticket Apache uses the ticket to access user’s remote resources Apache uses the ticket to access user’s remote resources
15
Providing certificates to users There is a risk of users not taking care of their certificates… There is a risk of users not taking care of their certificates… It should be a transparent mechanism It should be a transparent mechanism It should be easy It should be easy It should be secure It should be secure Both Unix and Windows users receive a Kerberos ticket during logon Both Unix and Windows users receive a Kerberos ticket during logon We can issue a PKI/Certificate for a Kerberos ticket We can issue a PKI/Certificate for a Kerberos ticket
16
Providing certificates to Users Kerberos Leveraged PKI Kerberos Leveraged PKI Credentia l Cache Login KDC KCA Browser LibPKCS11 Web Server
17
Providing certificates to users KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA (Kerberized CA) supports Kerberos V (Windows 2000 compatible) KCA clients are available for Unix and Windows KCA clients are available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows PKCS11 library (smart card emulation) is also available for Unix and Windows We have short term certificates We have short term certificates
18
Issues: certificate restrictions The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. The user certificate must contain a series of extensions properly filled and encoded, so that the web server accepts it and maps it to the right account. subjectAltName subjectAltName cRLDistributionPoint cRLDistributionPoint keyUsage keyUsage extendedKeyUsage extendedKeyUsage Expiration date properly set Expiration date properly set Possible CAs: Possible CAs: Microsoft recommends MS Enterprise CA Microsoft recommends MS Enterprise CA Entrust CA also works Entrust CA also works … We used OpenSSL… … We used OpenSSL…
19
Issues: server side CA restrictions It is possible to use a non-MS CA with an IIS server, but… It is possible to use a non-MS CA with an IIS server, but… … it should behave as Microsoft’s one … it should behave as Microsoft’s one The CA certificate must be added to the NTAuth store in the registry… manually. The CA certificate must be added to the NTAuth store in the registry… manually. It should create the same AD entries and fill them properly It should create the same AD entries and fill them properly Certificates and CRLs must be published in the AD Certificates and CRLs must be published in the AD
20
Issues: web applications Lack of integration between the authentication mechanisms for the web servers and the applications behind them Lack of integration between the authentication mechanisms for the web servers and the applications behind them First, authenticate with the web server… First, authenticate with the web server… Then, authenticate again with the application! Then, authenticate again with the application! E.g. some web mail applications… E.g. some web mail applications… Despite the necessary security infrastructure being there, some applications keep Despite the necessary security infrastructure being there, some applications keep Using their own security mechanisms Using their own security mechanisms … or using it only “internally”. … or using it only “internally”.
21
Status Linu x Box Windows 2000 KDC Linux KCA OpenSSL CA Web Browser (Mozilla) Lib PKCS11 Windows 2003 IIS 6.0 AD Resources Certificate Template Win Box MS CA? Unix Apache Mod_KCT KCT MIT KDC
22
Summary and conclusions In theory, it is possible to achieve cross-platform single sign-on In theory, it is possible to achieve cross-platform single sign-on But full functionality has issues… But full functionality has issues… Lots of components involved (KDC, KCA, AD…) Lots of components involved (KDC, KCA, AD…) Compatibility (not fully documented requirements) Compatibility (not fully documented requirements) Intrinsic limitations Intrinsic limitations Extensions not present in the KCA certificates Extensions not present in the KCA certificates Integration between applications and servers Integration between applications and servers
23
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.