windows 2000 kerberos interoperability paul hill co-leader, kerberos development team mit john...
TRANSCRIPT
Windows 2000 Kerberos Windows 2000 Kerberos Interoperability Interoperability
Paul HillPaul HillCo-Leader, Kerberos Development TeamCo-Leader, Kerberos Development TeamMIT MIT
John BrezakJohn BrezakProgram ManagerProgram ManagerWindows 2000 SecurityWindows 2000 SecurityMicrosoft CorporationMicrosoft Corporation
Windows 2000 Kerberos Windows 2000 Kerberos InteroperabilityInteroperability HistoryHistory Windows 2000 implementationWindows 2000 implementation Interoperability scenariosInteroperability scenarios
Some HistorySome History
Kerberos developed at MIT as part of Kerberos developed at MIT as part of Project AthenaProject Athena
Funded by Digital and IBMFunded by Digital and IBM Freely available source that allows Freely available source that allows
derivative commercial workderivative commercial work Change control given to IETFChange control given to IETF Based on research by Schroeder Based on research by Schroeder
and Needhamand Needham Needham now a Microsoft Needham now a Microsoft
Research employeeResearch employee
MIT’s GoalsMIT’s Goals
Provide a solution that nobody else Provide a solution that nobody else was addressing at the timewas addressing at the time
Convince others that security Convince others that security is importantis important
Get vendors to adopt Kerberos so that Get vendors to adopt Kerberos so that we could purchase secure systemswe could purchase secure systems
Have we succeeded beyond Have we succeeded beyond our expectations?our expectations?
Commercial SupportCommercial Support
Many vendors have come and goneMany vendors have come and gone GZA / Open Vision / VeritasGZA / Open Vision / Veritas CygnusCygnus
SunSun IBMIBM SGISGI OSF DCEOSF DCE CyberSafeCyberSafe MicrosoftMicrosoft
IntegrationIntegration
Operating Systems have shipped Operating Systems have shipped with Kerberos but not used it as the with Kerberos but not used it as the default authentication mechanismdefault authentication mechanism
OS Vendors shipping Kerberos OS Vendors shipping Kerberos have not provided applications or have not provided applications or services that are integrated with itservices that are integrated with it
Microsoft is changing thisMicrosoft is changing this Default authenticationDefault authentication Application supportApplication support Using it to secure other Using it to secure other
infrastructureinfrastructure
What Is KerberosWhat Is Kerberos Kerberos IV currently deployed in many Kerberos IV currently deployed in many
Universities (many Kerberized applications Universities (many Kerberized applications for Unix)for Unix)
Kerberos IV used in the Andrew File Kerberos IV used in the Andrew File System (AFS)System (AFS)
Kerberos IV had design flaws leading to Kerberos IV had design flaws leading to Kerberos version 5Kerberos version 5
Kerberos v5 is a standard (RFC-1510)Kerberos v5 is a standard (RFC-1510) Kerberos IV and Kerberos 5 do Kerberos IV and Kerberos 5 do
not interoperate!not interoperate! Bones and eBones (Kerberos IV)Bones and eBones (Kerberos IV) Win2000 implements Kerberos v5Win2000 implements Kerberos v5
Windows 2000 KerberosWindows 2000 Kerberos
Every Domain Controller is a KDCEvery Domain Controller is a KDC Active Directory is the administrative Active Directory is the administrative
interface via LDAPinterface via LDAP Programmers interface is SSPI (similar Programmers interface is SSPI (similar
to GSSAPI); no krb5 APIsto GSSAPI); no krb5 APIs DNS Domain and Kerberos realm DNS Domain and Kerberos realm
names are identical (except names are identical (except case sensitivity)case sensitivity)
Also provides authorization Also provides authorization service for Windows NT service for Windows NT security modelsecurity model
Windows 2000 Kerberos Windows 2000 Kerberos ImplementationImplementation Locates KDC via DNSLocates KDC via DNS DES-CBC-CRC and DES-CBC-MD5 enctypes DES-CBC-CRC and DES-CBC-MD5 enctypes
for interoperability (56bit keys)for interoperability (56bit keys) RC4-HMAC preferred enctype (56/128 bit keys)RC4-HMAC preferred enctype (56/128 bit keys) Does not support MD4 checksum typeDoes not support MD4 checksum type No support for DCE style cross-realm trustNo support for DCE style cross-realm trust Postdated tickets (not implemented)Postdated tickets (not implemented) Structured service naming conventionsStructured service naming conventions PKINITPKINIT
Windows 2000 Windows 2000 Kerberos StandardsKerberos Standards RFC-1510 (+ parts of Kerberos-revisions I-D)RFC-1510 (+ parts of Kerberos-revisions I-D) Kerberos change password protocol draft-Kerberos change password protocol draft-
ietf-cat-kerb-chg-password-02.txtietf-cat-kerb-chg-password-02.txt Kerberos set password protocolKerberos set password protocol
draft-ietf-cat-kerberos-set-passwd-00.txtdraft-ietf-cat-kerberos-set-passwd-00.txt RC4-HMAC Kerberos Encryption typeRC4-HMAC Kerberos Encryption type
draft-brezak-win2k-krb-rc4-hmac-00.txtdraft-brezak-win2k-krb-rc4-hmac-00.txt PKINITPKINIT
draft-ietf-cat-kerberos-pk-init-09.txtdraft-ietf-cat-kerberos-pk-init-09.txt
Kerberos Authorization DataKerberos Authorization Data
Kerberos protocol supports Kerberos protocol supports authorization data in ticketsauthorization data in tickets Examples: DCE and Sesame architecturesExamples: DCE and Sesame architectures
Revision to RFC 1510Revision to RFC 1510 Clarifications on client, KDC supplied dataClarifications on client, KDC supplied data Submitted by Ted Ts’o, Clifford NeumanSubmitted by Ted Ts’o, Clifford Neuman
Interoperability issues are minimumInteroperability issues are minimum Windows 2000 auth data ignored by Windows 2000 auth data ignored by
UNIX implementationsUNIX implementations
Authorization DataAuthorization Data
What is the client allowed to do?What is the client allowed to do? Based on Windows 2000 Based on Windows 2000
group membershipgroup membership Identified by Security Ids (SIDs) in NT Identified by Security Ids (SIDs) in NT
security architecturesecurity architecture Windows 2000 KDC supplies auth data Windows 2000 KDC supplies auth data
in ticketsin tickets At interactive logon (AS exchange) At interactive logon (AS exchange)
User SID, global, universal group SIDsUser SID, global, universal group SIDs At session ticket request (TGS exchange)At session ticket request (TGS exchange)
Domain local group SIDsDomain local group SIDs
Negotiate PackageNegotiate Package
Special SSP to select an Special SSP to select an authentication packageauthentication package
Windows 2000 logo requirementWindows 2000 logo requirement Implementation of SPNEGO (RFC-2478)Implementation of SPNEGO (RFC-2478) Tries up-level SSPs (Kerberos)Tries up-level SSPs (Kerberos) Falls back to down-level SSPs (NTLM)Falls back to down-level SSPs (NTLM) Selection of up-level SSP based on SPNSelection of up-level SSP based on SPN
Kerberos Interoperability Kerberos Interoperability ScenariosScenarios Windows 2000 domain without a Windows 2000 domain without a
Microsoft KDCMicrosoft KDC Kerberos clients in a Win2000 domainKerberos clients in a Win2000 domain Kerberos servers in a Win2000 domainKerberos servers in a Win2000 domain Standalone Win2000 systems in a Standalone Win2000 systems in a
Kerberos realmKerberos realm Using a Kerberos realm as a Using a Kerberos realm as a
resource domainresource domain Using a Kerberos realm as an Using a Kerberos realm as an
account domainaccount domain
Windows 2000 Domain Windows 2000 Domain Without A Microsoft KDCWithout A Microsoft KDC Not a supported scenarioNot a supported scenario Windows 2000 domain security model Windows 2000 domain security model
depends on authorizationdepends on authorization Microsoft KDC is tightly integrated with Microsoft KDC is tightly integrated with
Active DirectoryActive Directory Support for down-level services (NTLM)Support for down-level services (NTLM)
Standalone Windows 2000 Standalone Windows 2000 ComputersComputers A dorm student has a Win2000 computer that they want A dorm student has a Win2000 computer that they want
to use with the University’s Kerberos realmto use with the University’s Kerberos realm
Configure system as Configure system as standalone (no domain)standalone (no domain)
Use Ksetup to Use Ksetup to configure the realmconfigure the realm
Use Ksetup to Use Ksetup to establish the local establish the local account mappingaccount mapping
Logon to Logon to Kerberos realmKerberos realmWindows Windows
20002000
LinuxLinux
MIT.REALM.COMMIT.REALM.COM
Using Kerberos serversUsing Kerberos servers
Customer wants to use their Kerberos enabled Customer wants to use their Kerberos enabled database server in an n-tier application front-database server in an n-tier application front-ended by IISended by IIS
/etc/krb5.conf on /etc/krb5.conf on database serverdatabase server
Create service Create service account in domainaccount in domain
Use ktpass to Use ktpass to export a keytabexport a keytab
Copy keytab to Copy keytab to database serverdatabase server
IIS server is trusted IIS server is trusted for delegationfor delegation
nt.company.comnt.company.com
Windows Windows 2000 IIS 2000 IIS ServerServer
Unix Unix Database Database
ServerServer
Windows Windows 2000 Wks2000 Wks
Using Unix KDCs WithUsing Unix KDCs WithWindows 2000 AuthorizationWindows 2000 Authorization
Win2000 ProfessionalWin2000 Professional Windows 2000 ServerWindows 2000 Server
COMPANY.REALMCOMPANY.REALM nt.company.comnt.company.com
MITMITKDCKDC
Windows Windows 20002000KDCKDC
11TGTTGT
22TGTTGT
Name Name Mapping to Mapping to NT accountNT account
33TICKETTICKET
44TICKETTICKET
With NT With NT Auth DataAuth Data
Kerberos Realm As A Kerberos Realm As A Resource DomainResource Domain Realm contains service principals for Unix Realm contains service principals for Unix
based servicesbased services Service does name based authorizationService does name based authorization
Unix serverUnix server Win2000 Win2000 UserUser
MIT.REALM.COMMIT.REALM.COM win2k.domain.comwin2k.domain.com
Realm trusts Realm trusts domain domain usersusers
Kerberos Realm As An Kerberos Realm As An Account DomainAccount Domain User logon with Kerberos principalUser logon with Kerberos principal User has shadow account in an account domain User has shadow account in an account domain
(for applying authz)(for applying authz) Mapping is used at logon for domain identityMapping is used at logon for domain identity
[email protected]@MIT.REALM.COM
MIT.REALM.COMMIT.REALM.COM win2k.domain.comwin2k.domain.com
Domain trusts Domain trusts realm usersrealm users
[email protected][email protected]
[email protected] [email protected] ([email protected])([email protected])
Using A Kerberos Realm As Using A Kerberos Realm As An Account DomainAn Account Domain Requires shadow accounts in domainRequires shadow accounts in domain Requires synchronized passwords so Requires synchronized passwords so
that NTLM can workthat NTLM can work Have a sample that shows account Have a sample that shows account
sync with MIT Kerberos realmsync with MIT Kerberos realm CyberSafe is adding this capability with CyberSafe is adding this capability with
password sync to TrustBrokerpassword sync to TrustBroker
Microsoft And The Microsoft And The IETF CAT WGIETF CAT WGSignificant contributions in the standardsSignificant contributions in the standards Generating KDC Referrals to locate Kerberos realmsGenerating KDC Referrals to locate Kerberos realms
draft-swift-win2k-krb-referrals-00.txtdraft-swift-win2k-krb-referrals-00.txt The Windows 2000 RC4-HMAC Kerberos encryption typeThe Windows 2000 RC4-HMAC Kerberos encryption type
draft-brezak-win2k-krb-rc4-hmac-01.txtdraft-brezak-win2k-krb-rc4-hmac-01.txt User to User Kerberos Authentication using GSS-APIUser to User Kerberos Authentication using GSS-API
draft-swift-win2k-krb-user2user-00.txtdraft-swift-win2k-krb-user2user-00.txt Extension to Kerberos V5 For Additional Initial EncryptionExtension to Kerberos V5 For Additional Initial Encryption
draft-ietf-cat-kerberos-extra-tgt-02.txtdraft-ietf-cat-kerberos-extra-tgt-02.txt Extending Change Password for Setting Kerberos PasswordsExtending Change Password for Setting Kerberos Passwords
draft-trostle-win2k-cat-kerberos-set-passwd-00.txtdraft-trostle-win2k-cat-kerberos-set-passwd-00.txt The Simple and Protected GSS-API Negotiation The Simple and Protected GSS-API Negotiation
Mechanism (RFC2478)Mechanism (RFC2478)
Kerberos InteroperabilityKerberos Interoperability
Windows 2000 Kerberos is Windows 2000 Kerberos is interoperable with other interoperable with other popular versionspopular versions
Interoperability is regularly testedInteroperability is regularly tested Customer driver interoperability Customer driver interoperability
scenariosscenarios Push and enrich the Kerberos Push and enrich the Kerberos
standardsstandards
For Additional InformationFor Additional Information
Web sites:Web sites: Windows 2000 Kerberos AuthenticationWindows 2000 Kerberos Authentication
www.microsoft.com/windows/server/Technical/security/www.microsoft.com/windows/server/Technical/security/kerberos.aspkerberos.asp
Windows 2000 Kerberos Interoperability WhitepaperWindows 2000 Kerberos Interoperability Whitepaperhttp://www.microsoft.com/windows2000/library/howitworks/http://www.microsoft.com/windows2000/library/howitworks/security/kerbint.aspsecurity/kerbint.asp
MIT Kerberos 5 Interoperability walk-throughMIT Kerberos 5 Interoperability walk-throughhttp://www.microsoft.com/windows2000/library/planning/http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.aspsecurity/kerbsteps.asp
Compaq White Paper “Windows 2000 Authentication: under Compaq White Paper “Windows 2000 Authentication: under the hood” www.compaq.com/activeanswers the hood” www.compaq.com/activeanswers (Windows 2000 section)(Windows 2000 section)
CyberSafe ActiveTrust – CyberSafe ActiveTrust – www.cybersafe.comwww.cybersafe.com Interop with Win2000 Active Directory and Kerberos ServicesInterop with Win2000 Active Directory and Kerberos Services
msdn.microsoft.com/library/techart/kerberossamp.htmmsdn.microsoft.com/library/techart/kerberossamp.htm