RE: form based auth using kerberos ?
- From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Fri, 3 Sep 2004 09:17:34 -0400
I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I have
mentioned it before in my previous mails, otherwise I wouldn't say anything
about form based right ;)
Yup. No more PWI for me ;)
But keep in mind if you use Exchange 2003 on Windows 2000, you are using IIS
5.0. There were a LOT of changes between IIS 5.0 and IIS 6.0 that may be of
interest to you.
Al
-----Original Message-----
From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
Sent: Thursday, September 02, 2004 12:32 PM
To: [ExchangeList]
Subject: [exchangelist] RE: form based auth using kerberos ?
http://www.MSExchange.org/
> I think from what you're seeing that your FE will not authenticate
> with a different realm. It uses the NTLM auth that it passes. It does
> a quick lookup (as you saw) for the basic authentication (Does the
> user exist is the question it's asking the Active Directory, right?
> 'Cause if it doesn't, why bother to continue?) You're still not
> "authenticated" or more precisely authenticated and authorized at this
> point because you haven't passed all credentials. The hash (NTLM) is
> sent to the BE server which is supposed to then use Kerberos
> authentication in your scenario. The eventvwr entries seem to coincide
with this.
>
> This indicates that if you wanted to deal with another realm, you're
> really looking at putting that realm internal and using it via some
> sort of trust to allow the BE server to auth via that mechanism. It
> will still use the Active Directory since Exchange relies on the
> mailbox-enabled user objects to be there, but a trust would be set up and
configured.
My experiment yesterday was purely microsoft based, no external realm
involved yet. I tried again today, and this time FE did send AS-REQ and
TGS-REQ on behalf of the user to AD. However, it seems that the kerberos
authentication here is not used to validate the user password, but to obtain
a ticket to access the BE. Seems to me that authentication is done with
DCERPC request to AD which I cannot confirm bec it's encrypted. When I enter
a wrong password, FE will send HTTP access denied to client, send no AS-REQ
is sent to AD.
I'll try to put FE in external realm tomorrow, and see what happens
> So that leads me to these questions:
> 1) Why aren't you using Windows 2003 for this? Kerberos interop get
> *better* in Windows 2003.
I'm using windows 2000 server SP4. Should be enough when no external realm
involved yet right ? But not sure whether it will when I use external realm.
> 2) Why aren't you using Exchange 2003? It uses IIS 6.0 and was
> re-written which may give different results.
I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I have
mentioned it before in my previous mails, otherwise I wouldn't say anything
about form based right ;)
> 3) Have you seen the Unix interoperability document? It's called
> "Solution Guide for Windows Security and Directory Services for UNIX"
> and it may hold some useful information and tool references to help
> see the kerberos information more clearly.
Not yet, will look into it, thanks :-)
> 4) When you looked online, did you see the Exchange deployment docs?
> They talk about multi-forest deployment scenarios which have the same
> issues you are looking at and discuss what is needed to make it work.
> It has more information than you're looking for, but it does talk about
the trusts etc.
> The hardest part will be the MIT interop. That's because it may use
> other encryption types than Windows 2003 supports.
>
> Al
>
> -----Original Message-----
> From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> Sent: Wednesday, September 01, 2004 12:08 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: form based auth using kerberos ?
>
> http://www.MSExchange.org/
>
> > How about this: Setup a mock FE/BE scenario and run a network trace.
> I've done it today.
> Following is my observations (please correct me if I'm wrong):
> Setup:
> 1. FE - only Basic Authentication enabled 2. BE - only Integrated
> Authentication enabled
>
> Flow (roughly):
> 1. HTTP request from client to FE
> 2. LDAP search from FE to AD
> 3. LDAP entry from AD to FE, where the BE is actually 4. HTTP request
> from FE to BE (NTLM used !, not Kerberos, why ?) 5. DCERPC Bind from
> BE to AD, UUID = EPM 6. DCERPC Bind Ack from AD to BE 7. DCERPC Bind
> from BE to AD, UUID = RPC_NETLOGON 8. DCERPC Bind Ack from AD to BE 9.
> LDAP search from BE to AD 10.LDAP entry from AD to BE 11.HTTP OK from
> BE to FE 12.HTTP OK from FE to BE
>
> No krb5 packet captured by ethereal at all ! Even not sure whether FE
> & BE authenticates the user to AD. All I could see was LDAP request
> and DCERPC (I expect kerberos packet so muchh..)
>
> Another question is why does it seem the kerberos auth from FE to BE
> failed (HTTP is using NTLM), but in the audit logged in event viewer:
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 9/1/2004
> Time: 9:37:29 PM
> User: LARASARI\lara
> Computer: FREXCHW2KSERVER
> Description:
> Successful Network Logon:
> User Name: lara
> Domain: LARASARI
> Logon ID: (0x0,0x79B48D)
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: FREXCHW2KSERVER
>
> is logged on FE, while:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 9/1/2004
> Time: 9:51:02 PM
> User: LARASARI\lara
> Computer: EXCHW2KSERVER
> Description:
> Successful Network Logon:
> User Name: lara
> Domain: LARASARI
> Logon ID: (0x0,0x785801)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
>
> is logged in BE
> which proves that basic authentication generates kerberos tokens for
> delegations ! (ref: Microsoft Knowledge Base Article - 287537)
>
>
> > Keep in mind that regardless of the forms based vs. pop-up auth you
> > use, the only expected difference in the process is that your
> > clients will be able to cache credentials on the local workstation
> > if they wanted. Forms based auth prevents that.
> The above experiment was using pop-up auth by the way, not form-based.
>
> > One other thing that may be helpful here: Tell us why you want
> > kerberos auth vs. any other? What's the risk you're trying to
> > mitigate here, because there may be another way that doesn't take so
> > much
> of your time.
> Well, if FE/BE is able to authenticate against AD using kerberos, we
> would like to make them authenticate against MIT KDC, if possible...
>
> > If that fails to get the results you need, it might be worthwhile to
> > open a support call with Microsoft to have them research it and give
> > you a definitive answer. I suspect that for your purposes, you'll
> > still end up testing it on the wire though :)
> Ugg, yeah...i guess so...
>
> What do you think of the result of my experiment ?
>
> Thanks for discussing this issue with me, glad to have with whom I can
> discuss...
> lara
>
> > -----Original Message-----
> > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> > Sent: Tuesday, August 31, 2004 7:52 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: form based auth using kerberos ?
> >
> > http://www.MSExchange.org/
> >
> > > You would need a front-end/back-end solution IIRC. The use of
> > > Kerberos authentication occurs after you set integrated
> > > authentication, but you can't do that for the anonymous users on
> > > the internet. Hence, clear-text auth is usually recommended.
> > Yes, I agree. I have to use basic authentication with SSL enabled
> > between browser and exchange.
> >
> > > Have you checked out some of the docs on
> > > http://www.microsoft.com/exchange/library for some additional
> > > deployment suggestions for this scenario?
> >
> > As suggested, I have read some docs in the microsoft library.
> > Kerberos auth is used by front-end to send user cred to back-end to
> > get the mailbox, but front end still needs to authenticate user to
> > AD, and so does back end. so the flow will be:
> > front end -- ? --> AD
> > front end -- kerberos --> back end
> > back end -- ? --> AD
> > (based on article:
> > http://www.winnetmag.com/Article/ArticleID/40371/40371.html)
> >
> > From the net, I can only know that RPC call is used for
> > communication from front end to AD. But how does the user
> > authentication process work actually ?
> > I'm still clueless about the "? protocol" used here. What is the default
?
> > Can I use kerberos ?
> >
> > So if my understanding is right, even using FE/BE won't guarantee
> > that I can authenticate users using kerberos, right ?
> >
> > If kerberos can't work with form based auth, what about non
> > form-based auth, can exchange uses kerberos to authenticate user to AD ?
> >
> > once again, thanks for your help
> > lara
> >
> > ------------------------------------------------------
> > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 ISA Server Resource Site: http://www.isaserver.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network
> > Security
> Library:
> > http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this MSEXchange.org Discussion List as:
> > al.mulnick@xxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Report abuse to listadmin@xxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> al.mulnick@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
