RE: form based auth using kerberos ?
- From: m1r4cle_26@xxxxxxxxx
- To: exchangelist@xxxxxxxxxxxxx
- Date: Wed, 8 Sep 2004 06:23:24 -0600
Hey Al,
I follow your suggestion, to try out windows server 2003. I upgraded the
front end server to windows server 2003. A little progress, I can see it
queries DNS for _kerberos._udp.ADIANTO.COM (that's my MIT KDC), the DNS
server replies correctly, kerberos.adianto.com located in xxx.xxx.xxx.xxx.
However it seems that the front end either receives the response
incorrectly. It sends another query looking for kerberos.a
I know this is out of the scope of this mailing list, but do you have any
idea what can cause it to misunderstand the response...?
> I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I have
> mentioned it before in my previous mails, otherwise I wouldn't say anything
> about form based right ;)
>
> Yup. No more PWI for me ;)
>
> But keep in mind if you use Exchange 2003 on Windows 2000, you are using IIS
> 5.0. There were a LOT of changes between IIS 5.0 and IIS 6.0 that may be of
> interest to you.
>
>
> Al
>
> -----Original Message-----
> From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> Sent: Thursday, September 02, 2004 12:32 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: form based auth using kerberos ?
>
> http://www.MSExchange.org/
>
> > I think from what you're seeing that your FE will not authenticate
> > with a different realm. It uses the NTLM auth that it passes. It does
> > a quick lookup (as you saw) for the basic authentication (Does the
> > user exist is the question it's asking the Active Directory, right?
> > 'Cause if it doesn't, why bother to continue?) You're still not
> > "authenticated" or more precisely authenticated and authorized at this
> > point because you haven't passed all credentials. The hash (NTLM) is
> > sent to the BE server which is supposed to then use Kerberos
> > authentication in your scenario. The eventvwr entries seem to coincide
> with this.
> >
> > This indicates that if you wanted to deal with another realm, you're
> > really looking at putting that realm internal and using it via some
> > sort of trust to allow the BE server to auth via that mechanism. It
> > will still use the Active Directory since Exchange relies on the
> > mailbox-enabled user objects to be there, but a trust would be set up and
> configured.
> My experiment yesterday was purely microsoft based, no external realm
> involved yet. I tried again today, and this time FE did send AS-REQ and
> TGS-REQ on behalf of the user to AD. However, it seems that the kerberos
> authentication here is not used to validate the user password, but to obtain
> a ticket to access the BE. Seems to me that authentication is done with
> DCERPC request to AD which I cannot confirm bec it's encrypted. When I enter
> a wrong password, FE will send HTTP access denied to client, send no AS-REQ
> is sent to AD.
> I'll try to put FE in external realm tomorrow, and see what happens
>
> > So that leads me to these questions:
> > 1) Why aren't you using Windows 2003 for this? Kerberos interop get
> > *better* in Windows 2003.
> I'm using windows 2000 server SP4. Should be enough when no external realm
> involved yet right ? But not sure whether it will when I use external realm.
>
> > 2) Why aren't you using Exchange 2003? It uses IIS 6.0 and was
> > re-written which may give different results.
> I do use exchange 2003. exchange 2003 in windows 2000 SP4. I believe I have
> mentioned it before in my previous mails, otherwise I wouldn't say anything
> about form based right ;)
>
> > 3) Have you seen the Unix interoperability document? It's called
> > "Solution Guide for Windows Security and Directory Services for UNIX"
> > and it may hold some useful information and tool references to help
> > see the kerberos information more clearly.
> Not yet, will look into it, thanks :-)
>
> > 4) When you looked online, did you see the Exchange deployment docs?
> > They talk about multi-forest deployment scenarios which have the same
> > issues you are looking at and discuss what is needed to make it work.
> > It has more information than you're looking for, but it does talk about
> the trusts etc.
> > The hardest part will be the MIT interop. That's because it may use
> > other encryption types than Windows 2003 supports.
> >
> > Al
> >
> > -----Original Message-----
> > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> > Sent: Wednesday, September 01, 2004 12:08 PM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: form based auth using kerberos ?
> >
> > http://www.MSExchange.org/
> >
> > > How about this: Setup a mock FE/BE scenario and run a network trace.
> > I've done it today.
> > Following is my observations (please correct me if I'm wrong):
> > Setup:
> > 1. FE - only Basic Authentication enabled 2. BE - only Integrated
> > Authentication enabled
> >
> > Flow (roughly):
> > 1. HTTP request from client to FE
> > 2. LDAP search from FE to AD
> > 3. LDAP entry from AD to FE, where the BE is actually 4. HTTP request
> > from FE to BE (NTLM used !, not Kerberos, why ?) 5. DCERPC Bind from
> > BE to AD, UUID = EPM 6. DCERPC Bind Ack from AD to BE 7. DCERPC Bind
> > from BE to AD, UUID = RPC_NETLOGON 8. DCERPC Bind Ack from AD to BE 9.
> > LDAP search from BE to AD 10.LDAP entry from AD to BE 11.HTTP OK from
> > BE to FE 12.HTTP OK from FE to BE
> >
> > No krb5 packet captured by ethereal at all ! Even not sure whether FE
> > & BE authenticates the user to AD. All I could see was LDAP request
> > and DCERPC (I expect kerberos packet so muchh..)
> >
> > Another question is why does it seem the kerberos auth from FE to BE
> > failed (HTTP is using NTLM), but in the audit logged in event viewer:
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 9/1/2004
> > Time: 9:37:29 PM
> > User: LARASARI\lara
> > Computer: FREXCHW2KSERVER
> > Description:
> > Successful Network Logon:
> > User Name: lara
> > Domain: LARASARI
> > Logon ID: (0x0,0x79B48D)
> > Logon Type: 8
> > Logon Process: IIS
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: FREXCHW2KSERVER
> >
> > is logged on FE, while:
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 9/1/2004
> > Time: 9:51:02 PM
> > User: LARASARI\lara
> > Computer: EXCHW2KSERVER
> > Description:
> > Successful Network Logon:
> > User Name: lara
> > Domain: LARASARI
> > Logon ID: (0x0,0x785801)
> > Logon Type: 3
> > Logon Process: Kerberos
> > Authentication Package: Kerberos
> > Workstation Name:
> >
> > is logged in BE
> > which proves that basic authentication generates kerberos tokens for
> > delegations ! (ref: Microsoft Knowledge Base Article - 287537)
> >
> >
> > > Keep in mind that regardless of the forms based vs. pop-up auth you
> > > use, the only expected difference in the process is that your
> > > clients will be able to cache credentials on the local workstation
> > > if they wanted. Forms based auth prevents that.
> > The above experiment was using pop-up auth by the way, not form-based.
> >
> > > One other thing that may be helpful here: Tell us why you want
> > > kerberos auth vs. any other? What's the risk you're trying to
> > > mitigate here, because there may be another way that doesn't take so
> > > much
> > of your time.
> > Well, if FE/BE is able to authenticate against AD using kerberos, we
> > would like to make them authenticate against MIT KDC, if possible...
> >
> > > If that fails to get the results you need, it might be worthwhile to
> > > open a support call with Microsoft to have them research it and give
> > > you a definitive answer. I suspect that for your purposes, you'll
> > > still end up testing it on the wire though :)
> > Ugg, yeah...i guess so...
> >
> > What do you think of the result of my experiment ?
> >
> > Thanks for discussing this issue with me, glad to have with whom I can
> > discuss...
> > lara
> >
> > > -----Original Message-----
> > > From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx]
> > > Sent: Tuesday, August 31, 2004 7:52 AM
> > > To: [ExchangeList]
> > > Subject: [exchangelist] RE: form based auth using kerberos ?
> > >
> > > http://www.MSExchange.org/
> > >
> > > > You would need a front-end/back-end solution IIRC. The use of
> > > > Kerberos authentication occurs after you set integrated
> > > > authentication, but you can't do that for the anonymous users on
> > > > the internet. Hence, clear-text auth is usually recommended.
> > > Yes, I agree. I have to use basic authentication with SSL enabled
> > > between browser and exchange.
> > >
> > > > Have you checked out some of the docs on
> > > > http://www.microsoft.com/exchange/library for some additional
> > > > deployment suggestions for this scenario?
> > >
> > > As suggested, I have read some docs in the microsoft library.
> > > Kerberos auth is used by front-end to send user cred to back-end to
> > > get the mailbox, but front end still needs to authenticate user to
> > > AD, and so does back end. so the flow will be:
> > > front end -- ? --> AD
> > > front end -- kerberos --> back end
> > > back end -- ? --> AD
> > > (based on article:
> > > http://www.winnetmag.com/Article/ArticleID/40371/40371.html)
> > >
> > > From the net, I can only know that RPC call is used for
> > > communication from front end to AD. But how does the user
> > > authentication process work actually ?
> > > I'm still clueless about the "? protocol" used here. What is the default
> ?
> > > Can I use kerberos ?
> > >
> > > So if my understanding is right, even using FE/BE won't guarantee
> > > that I can authenticate users using kerberos, right ?
> > >
> > > If kerberos can't work with form based auth, what about non
> > > form-based auth, can exchange uses kerberos to authenticate user to AD ?
> > >
> > > once again, thanks for your help
> > > lara
> > >
> > > ------------------------------------------------------
> > > List Archives:
> > > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> > > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 ISA Server Resource Site: http://www.isaserver.org Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Network
> > > Security
> > Library:
> > > http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this MSEXchange.org Discussion List as:
> > > al.mulnick@xxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > > Report abuse to listadmin@xxxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives:
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com Leading
> > Network Software Directory: http://www.serverfiles.com
> > No.1 ISA Server Resource Site: http://www.isaserver.org Windows
> > Security Resource Site: http://www.windowsecurity.com/ Network Security
> Library:
> > http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this MSEXchange.org Discussion List as:
> > al.mulnick@xxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> > Report abuse to listadmin@xxxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
> Resource Site: http://www.windowsecurity.com/ Network Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List as:
> al.mulnick@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
