Professional Documents
Culture Documents
Gopas Goc 172 05 Kerberos
Gopas Goc 172 05 Kerberos
|
MCM: Directory Services | MVP: Enterprise Security |
ondrej@sevecek.com | www.sevecek.com |
KERBEROS
Why Kerberos
Stronger authentication
About 10 times
Limited attack surface
Smart card logon
Delegation
Protocol Transition
Logon by any means defined by the application
not using the hash values from AD
Stronger security
Encryption algorithms
NT Hash MD4
can AES (details later)
Includes user name, domain and timestamp
within exchange
Prevents reply attacks
Mutually authenticates all three sides of the
exchange
Client, DC, Server
Stronger security
AES Scenarios
Scenario AES
NTLM
Client Server
Pass-through
DC
Authentication compared
Ticket
Client Server
Password
Ticket
DC
Social example
Ticket Theatre
Pensioner
Usherette
Social ID
ID Card Address
Married
Ticket
Ticket office
Ticket
Client Server
Trust
DC
HTTP
Kerberos
UDP/TCP 88
DC
Without Delegation
Impersonation Anonymous
Client Web DB
DC
With Delegation
Impersonation Impersonation
Client Web DB
DC
Principles
Ticket
Client Server
Password
TGT
DC
Service Request
TGT
Client Server
TGT I am Client
TGS
DC
Service Request
TGT
TGS
Client TGS Server
DC
Lab: Tickets
Login Login
Client Server
nothing?
User
TGT
password
DC
TGS – Service ticket
Server Server
Login Login
name name
User-Server User-Server
Session key Session key
Server’s
TGS
Client password Server
TGT
Server’s
TGS
password
DC
TGS principles
Server password
KDC password
KDC KDC
Login Login
name name
User-KDC User-KDC
Session key Session key
Server Server
Login Login
name name
User-Server User-Server
Session key Session key
Pre-authentication details
Client
I want TGT, please
My login is …
Encrypted by my password
My login is …
My current time is …
KDC
TGT request discussion
Common SPNs
Server
DC
Configuring SPN
SETSPN
SPN facts
Troubleshooting tips
msDS-SupportedEncryptionTypes
Service Accounts does not specify it
Configure the value manually to enable AES
for the TGS
ETypes
ETypes
LAB: Kerberos Name/IP
Kerberos
TIME SYNCHRONIZATION
Time constraints discussion
1.1. 1.1.
2006 2008
Client KDC
1.1.
Try it again with 2008
1.1. 2008
Client KDC
1.1. 1.1.
2006 2008
Client KDC
Ticket
1.1.
From 1.1.2008 2008
Client KDC
To 2.1.2008
Client time skew and ticket
Ticket
1.1.
From 1.1.2008 2006
Client Server
To 2.1.2008
1.1.
2008
KDC
Time synchronization
PDC
Root Domain
PDC PDC
Child Domain Child Domain
Client
DC
Child Domain Server
Reliable Time Source
AnnounceFlags
10 = 2 + 8 = time service auto, reliable auto (DC)
5 = 1 + 8 = time service yes, reliable yes (PDC)
HKLM\System\CurrentControlSet\Services\W
32Time\Config
MaxPosPhaseCorrection
MaxNegPhaseCorrection
Windows 2000/XP/2003
no limit
Windows Vista/2008+
48 hours = 0x2A300 = 172800
Kerberos
PRIVILEGE ATTRIBUTE
CERTIFICATE
PAC
SidCount = ULONG
ExtraSIDs = q * PKERB_SID_AND_ATTRIBUTES
ResourceGroupDomainSid = SID
ResourceGroupCount = ULONG
ResourceGroupIds = r * PGROUP_MEMBERSHIP (RelativeId)
HKLM\System\CurrentControlSet\Control\LS
A\Kerberos\Parameters
MaxTokenSize = DWORD = 0-65535
Windows 2000 defaults to 8000
Windows 2003 defaults to 12000
must be set on all domain members
Windows 2012/8 defaults to 42500
PAC Validation
svc-user TGS
Service running under
PAC svc-user identity
Delegation
Client Web DB
Web DB
DC
Types of delegation
Unconstrained delegation
To any backend server/service
The proxy service must have user’s TGS for itself
Windows 2000+
Constrained delegation
To a specified service (SPN) only
The proxy service must have user’s TGS for itself
Windows 2003+ Domain Functional Level
Protocol transition
To a specified service (SPN) only
The proxy service does not need anything
Security considerations
LAB: Delegation
NSLOOKUP
SET Q=SRV
_kerberos._tcp.gopas.virtual
_kerberos._tcp.Berlin.sites.dc.gopas.virtual
Kamil
SRV5
Paris Trust
Berlin
Trusting domain local logon
Kamil
SRV5
Paris
TGT
Berlin
TGS
Multi-domain environment
2
TGS Czech
Europe 3
TGS Prague
1
TGT Kamil
Czech 4
TGS Europe TGS Server
Paris
Prague
Kamil
Server
Multi-domain facts
SRV1
http/intranet.company.com
NLB
SRV2
Switch
10.10.0.20
SRV3
SRV1
web-user
http/intranet.company.com
NLB
SRV2
web-user
Switch
10.10.0.20
SRV3
web-user
Clustering
Exchange MBX
SRV1
SRV1
ExchangeMDB/mbx.company.com
Switch SRV2
SRV3
Clustering
SRV2
SRV1
ExchangeMDB/mbx.company.com
Exchange MBX
Switch SRV2
SRV3
Clustering
MBX$
SRV1
ExchangeMDB/mbx.company.com
Exchange MBX
Switch SRV2
SRV3
Linux/MIT integration
Protocol transition
TGT Web
Certificate
Protocol transition
Server Process
Login + NTHash
Process DC
TGT
Process
Server
TGS
TGS
TGS
Process
LSASS
LSASS Vista CTRL-ALT-DEL
Login + password
Server Process
Login + Heslo + NTHash
Process DC
TGT
Process
Server
TGS
TGS
TGS
Process
LSASS
Credentials delegation
Credentails Provider
DLL which appear on logon screen and provide
credenetials for logon
Can delegate default (logon) credentials to
network servers
Can delegate freshe/saved credentials to
network servers
RDP Requires Clear Password
Full
SSL
Client Password Server
Local Logon
TGT
DC
Incorrect!
Client
Full
MSTSC TGS Server
Password
IE
Full
Virus
Password
LSASS.EXE
Full Text
Password
Credentials Delegation Public
TGS Private
Client
IE
Public Password
Virus
Public Password
LSASS.EXE
Full Text
Password
Credentials Delegation
Terminal Server
Windows 2008+
Windows Vista+
Client
MSTSC 6.0+
Windows Vista+
Windows XP SP3 (KB 951608)
Note about Negotiate
Negotiate
Takeaway