| Cerberus the 3-headed dog |
Kerberos is a protocol that leverages DNS, cryptography, a distributed client-server model, clients and time synchronization and ticket exchanges to provide secure authentication.
From a Security perspective, Kerberos resolves the following:
- Enforces confidentiality because it makes sure that passwords are not in the clear over the network.
- Protects integrity of the transaction by making sure that exchanges are not tampered with during transit
- Provides high-availability (if properly implemented) by allowing for it to be deployed in a distributed fashion
- DNS name resolution needs to be working correctly
- There has to be a Directory Service to store service principal names (like LDAP) and service principals need to be registered in the proper attributes of the directory
- The Key Distribution Server needs to be available
- Time between clients and servers can't be skewed more than 5 minutes (time servers have to be implemented)
- Client software needs to support Kerberos and the Kerberos environment has to be properly configured.
a) Bob signs into his Windows computer in the morning.
b) As he signs in successfully, a Ticket Granting Ticket (TGT) is issued for him with a duration of 10 hours.
c) When he opens his email (Outlook) and is able to start work on pending tasks.
Note: In a normal configuration he does not need to type-in his password again to open the program; because the "Kerberized client" (Outlook), the "Kerberized Server" (Microsoft Exchange), the Directory, Key Distribution Server, Policy Server and DNS server (the AD Domain Controller) take care of the rest.
Notice all the functions performed by Active Directory
Function
|
Provider
|
Provides name resolution
|
AD Domain Controller – DNS Service
|
Issues, validates tickets
|
AD Domain Controller - KDC
|
Provides encryption services
|
AD Domain Controller - AES 256
|
Defines and enforces Kerberos policies
|
AD Domain Controller - Group Policy Engine
|
Directory Services
|
AD Domain Controller - LDAP
|
Provides time synchronization
|
AD Domain Controller - win32 time service
|
Provides high-availability and standard configuration
|
AD Domain Controller - replication
|
Kerberized Client
|
Windows 7, Microsoft Outlook
|
Kerberized Server
|
Microsoft Exchange
|
Notice the fragmentation on UNIX/Linux
Function
|
Provider
|
Provides name resolution
|
BIND
|
Issues, validates tickets
|
Kerberos KDCs (MIT or Heimdal)
|
Provides encryption services
|
LDAP (SSL or TLS)
Kerberos (for auth only)
|
Defines and enforces Kerberos policies
|
Configuration files
|
Directory Services
|
OpenLDAP (& other packages)
|
Provides time synchronization
|
Network Time Service (NTP)
|
Provides high-availability
|
Multiple solutions:
-
LDAP Sync (for OpenLDAP)
- BIND master/slaves
-
Kerberos Master/Slaves
-
Filers and export shares for configuration
files
|
Kerberized Client
|
Many available, but not all support Kerberos
This is not important in the context of this conversation
|
Kerberized Server
|
Many available, but not all support Kerberos.
This is not important in the context of this conversation
|
Notice the variety of products, and now think: What's in a capability?
People-Process-Technology
This example illustrates a phenomenon that plagues many organizations today: IT Fragmentation. For each of these solutions organizations require specialists (people), deviations in how things are done (process) and as you can see above, different solutions (Technology)
This is why, in my previous post, the IT manager is concerned about costs and organization agility.
Service Principal Names
SPNs are the "names" associated with a service. The service (like a web server, host, file server, etc) executes in that security context. Better definition here.
The syntax is: < service type >/< host name >:< port number >
In a practical sense, the meaning is this, if a service (let's say Apache, or httpd) wants to use Kerberos authentication, not only it has to be Kerberized, but the host of the service has to have an SPN for that service in the Directory service. For example, for the host web.contoso.com, the http running on port TCP 8080 service's SPN is: http/web.contoso.com:8080
Not specifying a port, basically assumes the default port. In our example, port TCP 80.
Troubleshooting Kerberos
Troubleshooting Kerberos takes a lot of practice and will be revisited later, but here are a basic set of steps. Just ask yourself:
- Is the service Kerberized?
- Is name resolution working? Can DNS resolve by FQDN or short name?
- Is the time synchronized between the client, server and KDC (DC in AD)
- Are the correct SPNs registered (remember that you can do short names and FQDNs)?
- Finally, the fact that you can authenticate, does not mean that you're authorized!!!
No comments:
Post a Comment