RE: form based auth using kerberos ?
- From: m1r4cle_26@xxxxxxxxx
- To: exchangelist@xxxxxxxxxxxxx
- Date: Thu, 2 Sep 2004 10:32:16 -0600
> I think from what you're seeing that your FE will not authenticate with a
> different realm. It uses the NTLM auth that it passes. It does a quick
> lookup (as you saw) for the basic authentication (Does the user exist is the
> question it's asking the Active Directory, right? 'Cause if it doesn't, why
> bother to continue?) You're still not "authenticated" or more precisely
> authenticated and authorized at this point because you haven't passed all
> credentials. The hash (NTLM) is sent to the BE server which is supposed to
> then use Kerberos authentication in your scenario. The eventvwr entries
> seem to coincide with this.
>
> This indicates that if you wanted to deal with another realm, you're really
> looking at putting that realm internal and using it via some sort of trust
> to allow the BE server to auth via that mechanism. It will still use the
> Active Directory since Exchange relies on the mailbox-enabled user objects
> to be there, but a trust would be set up and configured.
My experiment yesterday was purely microsoft based, no external realm
involved yet. I tried again today, and this time FE did send AS-REQ and
TGS-REQ on behalf of the user to AD. However, it seems that the kerberos
authentication here is not used to validate the user password, but to
obtain a ticket to access the BE. Seems to me that authentication is done
with DCERPC request to AD which I cannot confirm bec it's encrypted. When
I enter a wrong password, FE will send HTTP access denied to client, send
no AS-REQ is sent to AD.
I'll try to put FE in external realm tomorrow, and see what happens
> So that leads me to these questions:
> 1) Why aren't you using Windows 2003 for this? Kerberos interop get
> *better* in Windows 2003.
I'm using windows 2000 server SP4. Should be enough when no external realm
involved yet right ? But not sure whether it will when I use external
realm.
> 2) Why aren't you using Exchange 2003? It uses IIS 6.0 and was re-written
> which may give different results.
I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I
have mentioned it before in my previous mails, otherwise I wouldn't say
anything about form based right ;)
> 3) Have you seen the Unix interoperability document? It's called "Solution
> Guide for Windows Security and Directory Services for UNIX" and it may hold
> some useful information and tool references to help see the kerberos
> information more clearly.
Not yet, will look into it, thanks :-)
> 4) When you looked online, did you see the Exchange deployment docs? They
> talk about multi-forest deployment scenarios which have the same issues you
> are looking at and discuss what is needed to make it work. It has more
> information than you're looking for, but it does talk about the trusts etc.
> The hardest part will be the MIT interop. That's because it may use other
> encryption types than Windows 2003 supports.
>
> Al
>
> -----Original Message-----
> From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> Sent: Wednesday, September 01, 2004 12:08 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: form based auth using kerberos ?
>
> http://www.MSExchange.org/
>
> > How about this: Setup a mock FE/BE scenario and run a network trace.
> I've done it today.
> Following is my observations (please correct me if I'm wrong):
> Setup:
> 1. FE - only Basic Authentication enabled 2. BE - only Integrated
> Authentication enabled
>
> Flow (roughly):
> 1. HTTP request from client to FE
> 2. LDAP search from FE to AD
> 3. LDAP entry from AD to FE, where the BE is actually 4. HTTP request from
> FE to BE (NTLM used !, not Kerberos, why ?) 5. DCERPC Bind from BE to AD,
> UUID = EPM 6. DCERPC Bind Ack from AD to BE 7. DCERPC Bind from BE to AD,
> UUID = RPC_NETLOGON 8. DCERPC Bind Ack from AD to BE 9. LDAP search from BE
> to AD 10.LDAP entry from AD to BE 11.HTTP OK from BE to FE 12.HTTP OK from
> FE to BE
>
> No krb5 packet captured by ethereal at all ! Even not sure whether FE & BE
> authenticates the user to AD. All I could see was LDAP request and DCERPC (I
> expect kerberos packet so muchh..)
>
> Another question is why does it seem the kerberos auth from FE to BE failed
> (HTTP is using NTLM), but in the audit logged in event viewer:
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 9/1/2004
> Time: 9:37:29 PM
> User: LARASARI\lara
> Computer: FREXCHW2KSERVER
> Description:
> Successful Network Logon:
> User Name: lara
> Domain: LARASARI
> Logon ID: (0x0,0x79B48D)
> Logon Type: 8
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: FREXCHW2KSERVER
>
> is logged on FE, while:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 9/1/2004
> Time: 9:51:02 PM
> User: LARASARI\lara
> Computer: EXCHW2KSERVER
> Description:
> Successful Network Logon:
> User Name: lara
> Domain: LARASARI
> Logon ID: (0x0,0x785801)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
>
> is logged in BE
> which proves that basic authentication generates kerberos tokens for
> delegations ! (ref: Microsoft Knowledge Base Article - 287537)
>
>
> > Keep in mind that regardless of the forms based vs. pop-up auth you
> > use, the only expected difference in the process is that your clients
> > will be able to cache credentials on the local workstation if they
> > wanted. Forms based auth prevents that.
> The above experiment was using pop-up auth by the way, not form-based.
>
> > One other thing that may be helpful here: Tell us why you want
> > kerberos auth vs. any other? What's the risk you're trying to
> > mitigate here, because there may be another way that doesn't take so much
> of your time.
> Well, if FE/BE is able to authenticate against AD using kerberos, we would
> like to make them authenticate against MIT KDC, if possible...
>
> > If that fails to get the results you need, it might be worthwhile to
> > open a support call with Microsoft to have them research it and give
> > you a definitive answer. I suspect that for your purposes, you'll
> > still end up testing it on the wire though :)
> Ugg, yeah...i guess so...
>
> What do you think of the result of my experiment ?
>
> Thanks for discussing this issue with me, glad to have with whom I can
> discuss...
> lara
>
> > -----Original Message-----
> > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> > Sent: Tuesday, August 31, 2004 7:52 AM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: form based auth using kerberos ?
> >
> > http://www.MSExchange.org/
> >
> > > You would need a front-end/back-end solution IIRC. The use of
> > > Kerberos authentication occurs after you set integrated
> > > authentication, but you can't do that for the anonymous users on the
> > > internet. Hence, clear-text auth is usually recommended.
> > Yes, I agree. I have to use basic authentication with SSL enabled
> > between browser and exchange.
> >
> > > Have you checked out some of the docs on
> > > http://www.microsoft.com/exchange/library for some additional
> > > deployment suggestions for this scenario?
> >
> > As suggested, I have read some docs in the microsoft library.
> > Kerberos auth is used by front-end to send user cred to back-end to
> > get the mailbox, but front end still needs to authenticate user to AD,
> > and so does back end. so the flow will be:
> > front end -- ? --> AD
> > front end -- kerberos --> back end
> > back end -- ? --> AD
> > (based on article:
> > http://www.winnetmag.com/Article/ArticleID/40371/40371.html)
> >
> > From the net, I can only know that RPC call is used for communication
> > from front end to AD. But how does the user authentication process
> > work actually ?
> > I'm still clueless about the "? protocol" used here. What is the default ?
> > Can I use kerberos ?
> >
> > So if my understanding is right, even using FE/BE won't guarantee that
> > I can authenticate users using kerberos, right ?
> >
> > If kerberos can't work with form based auth, what about non form-based
> > auth, can exchange uses kerberos to authenticate user to AD ?
> >
> > once again, thanks for your help
> > lara
> >
> > ------------------------------------------------------
> > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com Leading
> > Network Software Directory: http://www.serverfiles.com
> > No.1 ISA Server Resource Site: http://www.isaserver.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network Security
> Library:
> > http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this MSEXchange.org Discussion List as:
> > al.mulnick@xxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Report abuse to listadmin@xxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
> Resource Site: http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> al.mulnick@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
