I was going to write about Kerberos but have been interrupted by a desire for tea.
- back -
Earl Grey if you are interested. Black. No sugar.
Kerberos. Google it and find it is the mythical two headed dog guarding the gates of Hades or something. It is also a clever authentication mechanism developed by bods at MIT.
Windows 2008 has pretty much taken Kerberos to heart and is now the defacto authentication choice - NTLM anyone? Infact Windows 2008 takes this a step further and runs Kerberos within the kernel improving speed and security whilst reducing complexity - you no longer need custom SPNs!!!
I'm probably getting ahead of myself. How does Kerberos work?
The set up is pretty complex but bear with it. To help I'll use a typical scenario, logging into you PC in the morning...
There are many parts/services to Kerberos. But basically you have parts/services running locally on your client and parts running on the network.
You log into your PC the local clients' Kerberos service sends a ticket to the Kerberos service running on the network.
The network Kerberos service knows ALL passwords. This service then adds a TGT to this ticket and sends this bigger ticket back to the client however the ticket is encrypted using the password associated with the username. Sneaky.
You must therefore have the correct password to decrypt and open the big ticket which would then mean you have access to the added TGT.
The TGT or Ticket Granting Ticket is basically a way of telling the network Kerberos service that you have already sucessfully authenticated. Once you have a TGT the network Kerberos will only ask for a TGT and not your username/password.
This is pretty cool as the password has not left the client PC, yet authentication has happened!
A TGT lasts as long as you are logged in or 8 hours (ish)
You can then use the TGT to request other tickets to access other services. Printing for example. These tickets expire pretty quickly (15mins).
Due to the reliance on time stamps to expire tickets, it is imperative that the clocks between clients and servers are in sync.
One more thing to note is that Kerberos is a mutual athentication mechanism this means that both parties need to authenticate to each other; to print you need to provide a ticket to the print server but the print server also needs to provide you a ticket too. Proving that the service you have asked for is actually that service.
So where in this do SPN or service principle names come in?
These are *just* common names used to access a service which are tied to the account running that service.
So if we had a website we accessed using www.mysite.com and on the webserver the actual service was running under the credentials DOMAIN\webservice you would need an SPN for the HTTP service on www.mysite.com running as DOMAIN\webservice, in Windows this would mean:
SetSPN -A HTTP/www.mysite.com DOMAIN\webservice
Easy.
Windows 2008 R2 doesn't need SPNs as ultimately all kernel calls are done using one of system accounts and as you remember kerberos is now run from within the kernel.
For fun (or troubleshooting) you can use the cmdline "klist" on Windows to show all the current tickets you have!
No comments:
Post a Comment