Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Kerberos Delegation - Ondrej Sevecek`s Blog
Document related concepts
Cracking of wireless networks wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wireless security wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
Server Message Block wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Transcript
GOPAS TECHED 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | KERBEROS DELEGATION Basic Delegation Client Password Front-End Server TGT: User TGS: Back-End DC Back-End Server Kerberos Delegation Options Kerberos Delegation Options Unconstrained Delegation DFL 2000 to any back-end service user “knows” about it Constrained Delegation DFL 2003 to listed back-end SPNs user does not know about it Constrained Delegation with Protocol Transition Kerberos Delegation (Simplified) Client TGS: Front-End Front-End Server TGT: User TGS: Back-End TGS: Front-End DC DC Back-End Server AD Delegation Requirements Front-end account must be able to read tokenGroups and tokenGroupGlobalandUniversal attributes Windows Authorization Access Group 2003 schema update User account must have delegation enabled Account is sensitive and cannot be delegated Protocol Transition Requirements Protocol Transition requires Act as part of operating system (SeTCBPrivilege) Protocol Transition requires front-end resource domain = account domain Kerberos with IIS 7+ Providers Kernel Mode Authentication SharePoint does not support it useAppPoolCredentials Protocol Transition Client Nothing Front-End Server Kamil TGS: Back-End DC Back-End Server GOPAS TECHED 2012 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com | THANK YOU!
