Kerberos - difference between JAAS connection to server and SQL Server Trusted Connection - dns

My understanding is that both JAAS and SQL Server can be configured to use kerberos in a domain environment, with an active directory server.
My understanding that JAAS gets the user credentials from the user or from a file at the time of the connection - asks the directory server for a ticket, and presents that to the server.
Where does the SQL Server Driver get its kerberos ticket from? (as it seems to be able to obtain creditentials from the users existing login). Does it get the user login ticket - or does it extract the credentials from the user's logged in session?

SQL Server Driver gets Kerberos tickets from TGT (ticket granting ticket). This TGT is a ticket that is part of user's logon session and can be used to get short lived tickets to authenticate to other services (E.g. SQL Server).
You can use "Kerbtrey" utility from Windows Server Resource kit to examine such tickets.
JAAS also uses the same tickets but it needs to be told to obtain tickets + configuration (E.g. name of Kerberos server) from file and that path is somewhat dependent on OS version.
SQL Server drivers uses Wind32 API to get tokens.

Related

How to create local user in Linux by LDAP Authentication

I have setup my LDAP server with user details. I have setup my Ubuntu laptop to authenticate users from LDAP. The problem is, every time user tries to log in, Ubuntu tries to reach LDAP servers to authenticate. So when network connection is out, it shows authentication failed. What I want is when user logs in first time, Ubuntu authenticates from LDAP, and creates a local user profile, and stores credential somewhere on local. So when network connection is not available, it authenticates against last used credentials. And when system connects back to internet, it authenticates against LDAP.
Please help me with this. Let me know if any clarifications are required.
I have created LDAP Server, and my ubuntu system is already authenticating users against LDAP. I want to store the LDAP credentials to a local user once the user logs in for the first time, so that these credentials can be used for authentication when network connection unavailable.
If you are using SSSD as the LDAP client, enable its built-in credential caching. Take a look at options cache_credentials (for auth) and cache_first (for account information) in the sssd.conf(5) manual page.
If you are using nslcd as the LDAP client, install pam_ccreds for authentication caching and nscd for account information caching.

SMB authentication via domain accounts from non-domain machine

I would like to ask if somebody could explain me how exactly user/account is authenticated in following scenario:
SMB File Server is part of the domain
access to the File server is granted via domain accounts
Client is outside of the domain and firewalled only to see the File Server.
Client is going to use domain credentials to authenticate to the File Server.
My question is how the Kerberos tickets are created if Client is not having visibility to KDC/Domain Controllers? is it going to be the File Server acting as a client for the KDC or relay the request if yes how the credentials are stored on the File Server? Or will be other authentication method used in this case e.g. NTLM?
Thanks!
Tomas

How do http requests work with Active Directory?

I have an ASP.NET MVC application that authenticates users against Active Directory.
As I understand this is the process happens when a user logs on to his computer:
User enters credentials on the local machine.
Local machine checks if it already has an authentication ticket for these credentials.
If not, it contacts the first ADS server it can find that offers kerberos authentication functions
The ADS machine checks the credentials against the LDAP database.
If they check out, kerberos returns a TGT (ticket-granting-ticket) to the client machine
For a certain duration set in AD (usually 8~10 hours) this TGT will bypass any credential checking in case the local machine user wishes to connect to resources that require permissions not present in his bare user account (i.e. group memberships, additional machine and share access, etc.)
My question is how does IIS know about the TGT when the browser is making a request to it for my app? Does the operating system send it out on every outbound http request to every single website?
The server (IIS) will indicate to the client (browser) that it needs to authenticate by returning an HTTP 401 error code with a WWW-Authenticate header. The client detects this and determines if it can correctly authenticate. The way this works is as follows:
Determine who the requestor is by checking it's Service Principal Name. It exists as {type}/{fully.qualified.domain}, e.g. HTTP/resource.domain.com. This SPN is mapped to a machine or service account in AD. If this SPN isn't registered, the client falls back to a lesser protocol like NTLM.
Local machine uses the TGT to request a service ticket from AD. AD validates the TGT and looks up the SPN in the request and if found creates a service ticket encrypted against the password of the account associated to the SPN.
Client sends the service ticket to the server via Authorization: Negotiate YII... header.
Server decrypts the service ticket using the password it's been provided, either through a domain join, Windows Service Run As config, or keytab.
Server transforms the contents of the decrypted service ticket into a Windows identity.
Identity is presented to the application.
This flow isn't inherently web-specific. This is how all services authenticate themselves when using Kerberos.

Web authentication using desktop ldap

Problem: I want users from my corporate client to authenticate with my web server by using their local LDAP credentials. Users have a local desktop client that can authenticate with the local LDAP server. My server and the LDAP server do not talk to each other.
I know it is possible to authenticate on a web server using LDAP if the web server relays the LDAP request to a LDAP server. (User/desktop client connects to web server, sends credentials and web server interacts with LDAP server for authentication)
But is there a way for a desktop client to authenticate with a local LDAP server and then connect to a web server sending a token that would grant access to the web server? (user auths with ldap, sends ldap response to webserver)
I am not talking Oauth, which requires both servers to talk. In this case, the LDAP server is isolated from outside contact.
The big problem here is that you should never trust the client, even if you have written it yourself. Something like public/private authentication would (probably) not work as well, since the problem is not the encryption, but making sure the message came as "OK" from the LDAP server. A rogue client could fake the OK and sign it anyway.
If I understand your problem correctly, you're looking for a way to make your desktop client talk to your web application using the user's domain credentials.
This should be easy to do using something like ADFS. If you run ADFS inside your clients Active Directory domain, your desktop client can get a token from it using Kerberos. It can then use this token to authenticate with your web application.
You will need to configure your web application to trust tokens issued by the ADFS instance in your clients domain.
ADFS may work, but it is unnecessary. You should look into using SPNEGO as it does not require a ADFS infrastructure.

Service Ticket in Kerberos - Hadoop security

I am trying to secure my hadoop cluster using kerberos. I am able to generate TGT using kinit command. But beyond that I am stucked up.
1) I would like to know what is meant by 'serviceTicket' in reality. (Not as a description); Using which command/code we can make use of service ticket?
2) What is the use of '.keyTab' file and '.keyStore' file?
Hadoop-Kerberos story
User sends an authentication request to the KDC using kinit command.
The KDC sends back an encrypted ticket.
User decrypts the ticket by providing his password.
4. Now authenticated, User sends a request for a service ticket.
5. KDC validates the ticket and sends back a service ticket.
User presents the service ticket to hdfs#KERBEROS.com.
hdfs#KERBEROS.com decrypts the ticket, validating the User’s identity
In the 4th step , 'requesting for service ticket'; what does it actually mean? To get TGT, we use 'kinit' command. Similarly, what is the procedure / method to get service ticket?
My Process in detail:
LDAP : ActiveDirectory
Kerberos : Installed in Ubuntu
Hadoop Cluster : Configured in Ubuntu machines with one master and one slave
Ubuntu username : labuser
Realm in Ubuntu : KERBEROS.COM
The plan is to provide hadoop security with Kerberos and Active Directory
Generated TGT(using kinit command) in Kerberos Server machine for the users present in ActiveDirectory
Next to integrate Kerberos with Ubuntu hadoop cluster, did the below,
1) Command to create Principal : addprinc -randkey namenode/labuser#KERBEROS.COM
2) Command to create keytab : xst -norandkey -k namenode.service.keytab namenode/labuser#KERBEROS.COM (or) ktadd -k namenode.service.keytab namenode/labuser#KERBEROS.COM
3) Added properties in hadoop configuration files with resp., to Kerberos.
Staring hadoop cluster, we get to know that Login gets successfull for all the services (Namenode,Datanode,Resource Manager and Node Manager).
Log info:INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user dn/labuser#KERBEROS.COM using keytab file * /home/labuser/hadoopC/etc/hadoop/dn.service.keytab
Yet Hadoop cluster is not started , with failure in,
DataNode(java.lang.RuntimeException: Cannot start secure cluster without privileged resources)
NameNode(java.io.FileNotFoundException: /home/labuser/.keystore (No such file or directory))
Please suggest whether the above Kerberos process require any change? If yes, please justify
The kerberos API will get the service ticket automatically if the protocol for the service is kerberos enabled.
The server needs the secret key corresponding to hdfs#KERBEROS.com in a keytab file that it can read to decrypt any incoming connections. Generally, you create this using the kadmin command and
install the secret in the keytab file using the appropriate utility ( it's different for different versions of kerberos source code.)
Generally, once you have kinit'd as a client, you will never need to run another explict kerberos
command to obtain service tickets, PROVIDING all the servers and clients are configured correctly. That's kind of the whole point of kerberos.
If you really want to obtain a service ticket for testing, you can use the kvno command.
http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html
I have found a solution for:
NameNode(java.io.FileNotFoundException: /SOME/PATH/.keystore (No such file or directory))
Try to configure HTTP_ONLY option in hdfs-site.xml:
<property>
<name>dfs.http.policy</name>
<value>HTTP_ONLY</value>
</property>
If you need https you need to additionally generate certificates and configure keystore.

Resources