Download Kerberos Delegation - Ondrej Sevecek`s Blog

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cracking of wireless networks wikipedia , lookup

Internet protocol suite wikipedia , lookup

Wireless security wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Server Message Block wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Lag wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Transcript
GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
KERBEROS DELEGATION
Basic Delegation
Client
Password
Front-End
Server
TGT: User
TGS: Back-End
DC
Back-End
Server
Kerberos Delegation Options
Kerberos Delegation Options
 Unconstrained Delegation
 DFL 2000
 to any back-end service
 user “knows” about it
 Constrained Delegation
 DFL 2003
 to listed back-end SPNs
 user does not know about it
 Constrained Delegation with Protocol
Transition
Kerberos Delegation
(Simplified)
Client
TGS: Front-End
Front-End
Server
TGT: User
TGS: Back-End
TGS: Front-End
DC
DC
Back-End
Server
AD Delegation Requirements
 Front-end account must be able to read
tokenGroups and
tokenGroupGlobalandUniversal attributes
 Windows Authorization Access Group
 2003 schema update
 User account must have delegation enabled
 Account is sensitive and cannot be delegated
Protocol Transition
Requirements
 Protocol Transition requires Act as part of
operating system (SeTCBPrivilege)
 Protocol Transition requires front-end
resource domain = account domain
Kerberos with IIS 7+
 Providers
 Kernel Mode Authentication
 SharePoint does not support it
 useAppPoolCredentials
Protocol Transition
Client
Nothing
Front-End
Server
Kamil
TGS: Back-End
DC
Back-End
Server
GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
THANK YOU!