active directory and nt kerberos rooster jd glaser
TRANSCRIPT
Active Directory and
NT Kerberos
Rooster
JD Glaser
Introduction to NT Kerberos v5
• What is NT Kerberos?
• How is it different from NTLM
• NT Kerberos vs MIT Kerberos
• Delegation and Client Authentication
• What does NT Kerberos look like on the wire?
• KTNet - A native NT Kerberos telnet server
What is NT Kerberos
• NT’s new authentication system
• MIT Kerberos v5 - an Open Standard
• Kerberos is the default authenticator in W2K domains
• NTLM still used for compatibility– usually the weakest version
How is it different from NTLM
• Doesn’t use a password hash system
• Requires fewer authentication calls
• More sophisticated - Yes
• More secure? - Possibly in pure mode– Backwards compatibility hinders it– NTLM v2 is strong in pure mode as well
NT Kerberos
• Integrated with platform• Locates KDC via DNS - DNS server required for
install• No support for DCE style cross-realm trust• No “raw” krb5 API• Postdated tickets (not implemented)• Uses authdata field in ticket
Windows 2000 Kerberos standards
• RFC-1510
• Kerberos change password protocol Kerberos set password protocolRC4-HMAC Kerberos Encryption type
• PKINIT
Kerberos Interoperability Scenarios
• Kerberos clients in a Win2000 domain
• Kerberos servers in a Win2000 domain
• Standalone Win2000 systems in a Kerberos realm
• Using a Kerberos realm as a resource domain
• Using a Kerberos realm as an account domain
MIT Kerberos DifferencesWin2000• Clients
– Just logon
– Just logoff
– Domain membership
– Example app: everything
• Servers– Use computer account
via SCM
MITMIT ClientsClients
User logon with User logon with ‘kinit’‘kinit’
User logoff with User logoff with ‘kdestroy’‘kdestroy’
Configured with Configured with /etc/krb5.conf/etc/krb5.conf
Example app: Example app: telnettelnet
ServersServers Do not logon – use Do not logon – use
saved keys from saved keys from keytabkeytab
Using Kerberos clientsCustomer wants to have its non-windows
Kerberos users use their Win2000 accounts
Setup the /etc/krb5.confSetup the /etc/krb5.conf Users kinit with their Users kinit with their
Win2000 accountWin2000 account
Windows 2000 Server
nt.company.com
Unix workstation
Using Kerberos serversCustomer wants to user their Kerberos enabled
database server in an n-tier application front-ended by IIS
/etc/krb5.conf on /etc/krb5.conf on database serverdatabase server
Create service account in Create service account in domaindomain
Use ktpass to export a Use ktpass to export a keytabkeytab
Copy keytab to database Copy keytab to database serverserver
IIS server is trusted for IIS server is trusted for delegationdelegation
nt.company.com
Windows 2000 IIS Server
Unix Database
Server
Windows 2000 Wks
Kerberos realm as an account domain
• User logon with Kerberos principal• User has shadow account in an account domain (for
applying authz)• Mapping is used at logon for domain identity
MIT.REALM.COM win2k.domain.com
Domain trusts realm users
Standalone Win2000 computersAn employee has a Win2000 computer that they want to
use in a Kerberos realm
Configure system as Configure system as standalone (no standalone (no domain)domain)
Use Ksetup to Use Ksetup to configure the realmconfigure the realm
Use Ksetup to Use Ksetup to establish the local establish the local account mappingaccount mapping
Logon to Kerberos Logon to Kerberos realmrealm
Win2000
Linux/Unix
MIT.REALM.COM
Trusting a Kerberos realm• Win2000 users accessing services in Kerberos
realms
• Kerberos users accessing services in domains
DomainDomain
DomainDomain DomainDomain
DomainDomain
Explicit Windows NT 4.0-style trustExplicit Windows NT 4.0-style trust
DomainDomain
microsoft.commicrosoft.com
europe. microsoft. comeurope. microsoft. com
Kerberos trustKerberos trust
fareast. microsoft. comfareast. microsoft. com
Windows 2000 Domain Trusts
Kerberos realmKerberos realm
Explicit Kerberos trustExplicit Kerberos trust
Shortcut trustShortcut trust
Cross-domain Authentication
Windows 2000 Professional Windows 2000 Server
west.company.com east.company.com
company.com
KDC KDC
11TGTTGT
22TGTTGT 33
TGTTGT
44TICKETTICKET
srv1.east.company.com
Using Unix KDCs withWindows 2000 Authorization
Win2000 Professional Windows 2000 Server
COMPANY.REALM nt.company.com
MITKDC
Windows 2000KDC
11TGTTGT
22TGTTGT
Name Mapping Name Mapping to NT accountto NT account
33TICKETTICKET
44TICKETTICKET
With NT With NT Auth DataAuth Data
NT Kerberos vs MIT Kerberos
• NT caches the password for ticket renewal
• It’s not certain whether NT uses ticket caching tracking stolen ‘replay’ tickets
Kerberos v5 Ticket Details
Delegation and Client Authentication
NT Kerberos On The Wire
Appendix
• John Brezak, PM - Microsoft– Kerberos Talk - MTB ‘99