RE: form based auth using kerberos ?

  • From: m1r4cle_26@xxxxxxxxx
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Wed, 1 Sep 2004 10:08:21 -0600

> How about this: Setup a mock FE/BE scenario and run a network trace.  
I've done it today.
Following is my observations (please correct me if I'm wrong):
1. FE - only Basic Authentication enabled
2. BE - only Integrated Authentication enabled

Flow (roughly):
1. HTTP request from client to FE
2. LDAP search from FE to AD
3. LDAP entry from AD to FE, where the BE is actually
4. HTTP request from FE to BE (NTLM used !, not Kerberos, why ?)
5. DCERPC Bind from BE to AD, UUID = EPM
6. DCERPC Bind Ack from AD to BE
8. DCERPC Bind Ack from AD to BE
9. LDAP search from BE to AD
10.LDAP entry from AD to BE
11.HTTP OK from BE to FE
12.HTTP OK from FE to BE

No krb5 packet captured by ethereal at all ! Even not sure whether FE & BE
authenticates the user to AD. All I could see was LDAP request and DCERPC
(I expect kerberos packet so muchh..)

Another question is why does it seem the kerberos auth from FE to BE
failed (HTTP is using NTLM), but in the audit logged in event viewer:
Event Type:     Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:       540
Date:           9/1/2004
Time:           9:37:29 PM
User:           LARASARI\lara
Computer:       FREXCHW2KSERVER
Successful Network Logon:
        User Name:      lara
        Domain:         LARASARI
        Logon ID:               (0x0,0x79B48D)
        Logon Type:     8
        Logon Process:  IIS     
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       FREXCHW2KSERVER 

is logged on FE, while:

Event Type:     Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:       540
Date:           9/1/2004
Time:           9:51:02 PM
User:           LARASARI\lara
Computer:       EXCHW2KSERVER
Successful Network Logon:
        User Name:      lara
        Domain:         LARASARI
        Logon ID:               (0x0,0x785801)
        Logon Type:     3
        Logon Process:  Kerberos
        Authentication Package: Kerberos
        Workstation Name:        

is logged in BE
which proves that basic authentication generates kerberos tokens for
delegations ! (ref: Microsoft Knowledge Base Article - 287537)

> Keep in mind that regardless of the forms based vs. pop-up auth you use, the
> only expected difference in the process is that your clients will be able to
> cache credentials on the local workstation if they wanted.  Forms based auth
> prevents that.
The above experiment was using pop-up auth by the way, not form-based.
> One other thing that may be helpful here: Tell us why you want kerberos auth
> vs. any other?  What's the risk you're trying to mitigate here, because
> there may be another way that doesn't take so much of your time. 
Well, if FE/BE is able to authenticate against AD using kerberos, we would
like to make them authenticate against MIT KDC, if possible...
> If that fails to get the results you need, it might be worthwhile to open a
> support call with Microsoft to have them research it and give you a
> definitive answer.  I suspect that for your purposes, you'll still end up
> testing it on the wire though :)
Ugg, yeah...i guess so...

What do you think of the result of my experiment ? 

Thanks for discussing this issue with me,
glad to have with whom I can discuss...

> -----Original Message-----
> From: m1r4cle_26@xxxxxxxxx [mailto:m1r4cle_26@xxxxxxxxx] 
> Sent: Tuesday, August 31, 2004 7:52 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: form based auth using kerberos ?
> > You would need a front-end/back-end solution IIRC.  The use of 
> > Kerberos authentication occurs after you set integrated 
> > authentication, but you can't do that for the anonymous users on the 
> > internet.  Hence, clear-text auth is usually recommended.
> Yes, I agree. I have to use basic authentication with SSL enabled between
> browser and exchange.
> > Have you checked out some of the docs on 
> > for some additional 
> > deployment suggestions for this scenario?
> As suggested, I have read some docs in the microsoft library.
> Kerberos auth is used by front-end to send user cred to back-end to get the
> mailbox, but front end still needs to authenticate user to AD, and so does
> back end. so the flow will be:
> front end -- ? --> AD
> front end -- kerberos --> back end
> back end -- ? --> AD
> (based on article:
> From the net, I can only know that RPC call is used for communication from
> front end to AD. But how does the user authentication process work actually
> ?
> I'm still clueless about the "? protocol" used here. What is the default ?
> Can I use kerberos ?
> So if my understanding is right, even using FE/BE won't guarantee that I can
> authenticate users using kerberos, right ?
> If kerberos can't work with form based auth, what about non form-based auth,
> can exchange uses kerberos to authenticate user to AD ?
> once again, thanks for your help
> lara
> ------------------------------------------------------
> List Archives:
> Exchange Newsletters:
> Exchange FAQ:
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: Leading
> Network Software Directory:
> No.1 ISA Server Resource Site: Windows Security
> Resource Site: Network Security Library:
> Windows 2000/NT Fax Solutions:
> ------------------------------------------------------
> You are currently subscribed to this Discussion List as:
> al.mulnick@xxxxxxxxxx To unsubscribe visit
> Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: