Wednesday, December 11, 2013

Basics: Kerberos Super-Simplified

Cerberus the 3-headed dog

Kerberos is a protocol that leverages DNS, cryptography, a distributed client-server model, clients and time synchronization and ticket exchanges to provide secure authentication.

From a Security perspective, Kerberos resolves the following:
  • Enforces confidentiality because it makes sure that passwords are not in the clear over the network.
  • Protects integrity of the transaction by making sure that exchanges are not tampered with during transit
  • Provides high-availability (if properly implemented) by allowing for it to be deployed in a distributed fashion
For Kerberos to work,
  1. DNS name resolution needs to be working correctly
  2. There has to be a Directory Service to store service principal names (like LDAP) and service principals need to be registered in the proper attributes of the directory
  3. The Key Distribution Server needs to be available
  4.  Time between clients and servers can't be skewed more than 5 minutes (time servers have to be implemented)
  5. Client software needs to support Kerberos and the Kerberos environment has to be properly configured.
Active Directory can solve all these issues.  As a matter of fact, any Working windows network today (that has Windows 2000 and up) has a working Kerberos environment.  Kerberos is used by millions of people every day:

a) Bob signs into his Windows computer in the morning.
b) As he signs in successfully, a Ticket Granting Ticket (TGT) is issued for him with a duration of 10 hours.
c) When he opens his email (Outlook) and is able to start work on pending tasks.

Note: In a normal configuration he does not need to type-in his password again to open the program; because the "Kerberized client" (Outlook), the "Kerberized Server" (Microsoft Exchange), the Directory, Key Distribution Server, Policy Server and DNS server (the AD Domain Controller) take care of the rest.

Notice all the functions performed by Active Directory

Provides name resolution
AD Domain Controller – DNS Service
Issues, validates tickets
AD Domain Controller - KDC
Provides encryption services
AD Domain Controller  - AES 256
Defines and enforces Kerberos policies
AD Domain Controller - Group Policy Engine
Directory Services
AD Domain Controller - LDAP
Provides time synchronization
AD Domain Controller - win32 time service
Provides high-availability and standard configuration
AD Domain Controller - replication
Kerberized Client
Windows 7, Microsoft Outlook
Kerberized Server
Microsoft Exchange

Notice the fragmentation on UNIX/Linux

Provides name resolution
Issues, validates tickets
Kerberos KDCs (MIT or Heimdal)
Provides encryption services
Kerberos (for auth only)
Defines and enforces Kerberos policies
Configuration files
Directory Services
OpenLDAP  (& other packages)
Provides time synchronization
Network Time Service (NTP)
Provides high-availability
Multiple solutions:
-          LDAP Sync (for OpenLDAP)
-     BIND master/slaves
-          Kerberos Master/Slaves
-          Filers and export shares for configuration files
Kerberized Client
Many available, but not all support Kerberos
This is not important in the context of this conversation
Kerberized Server
Many available, but not all support Kerberos.
This is not important in the context of this conversation

Notice the variety of products, and now think:  What's in a capability?


This example illustrates a phenomenon that plagues many organizations today:  IT Fragmentation.  For each of these solutions organizations require specialists (people), deviations in how things are done (process) and as you can see above, different solutions (Technology)

This is why, in my previous post, the IT manager is concerned about costs and organization agility.

Service Principal Names
SPNs are the "names" associated with a service.  The service (like a web server, host, file server, etc) executes in that security context.  Better definition here.

The syntax is: < service type >/< host name >:< port number >

In a practical sense, the meaning is this, if a service (let's say Apache, or httpd) wants to use Kerberos authentication, not only it has to be Kerberized, but the host of the service has to have an SPN for that service in the Directory service.  For example, for the host, the http running on port TCP 8080 service's SPN is:  http/

Not specifying a port, basically assumes the default port.  In our example, port TCP 80.

Troubleshooting Kerberos

Troubleshooting Kerberos takes a lot of practice and will be revisited later, but here are a basic set of steps.  Just ask yourself:
  1. Is the service Kerberized?
  2. Is name resolution working?  Can DNS resolve by FQDN or short name?
  3. Is the time synchronized between the client, server and KDC (DC in AD)
  4. Are the correct SPNs registered  (remember that you can do short names and FQDNs)?
  5. Finally, the fact that you can authenticate, does not mean that you're authorized!!!

No comments:

Post a Comment