Kerberos, delegation and how to do this correctly?
Asked Answered
C

3

10

I've got two separate homemade applications that need to communicate among themselves. One is a frontend application (asp.net actually), the other is a backend interface to an accounting application. The backend interface was not created specifically for this frontend - it is a generic interface that many other applications use to integrate with our product.

For the convenience of users we wish to provide a Windows Authentication in our frontend application. That means however that we need to pass the credentials on to the backend application which has to check them.

We do not wish to set up our frontend as a "trusted" application to the backend which can authenticate itself as any user. If the frontend was to be hacked, it would then also compromise the backend system.

As I understand it, one way to do it with Windows Authentication is Kerberos Delegation. However this requires to be explicitly enabled for the user that is to be delegated, and the machine which does the delegation (the server with our frontend). By default these options are disabled in Active Directory, and I suspect that many sysadmins will have their reservations about turning them on for all their users.

Also, I'm not really sure that this is what Kerberos Delegation was meant for. I don't need our frontend to impersonate the user that is connecting. I just need to prove that this user has authenticated itself to me.

How would you do this?

Chose answered 22/10, 2009 at 11:53 Comment(2)
What's the back end authentication? You indicate the front end is Windows Integrated (so an intranet app), but is the back end app WIA also?Srinagar
Kerberos is for this - eg Users on our LAN connect to a webserver which in turns connects to a SQL Server using the users credentials. This allows us to have per-table/field permissions depending on the user. The difficulty here is that both systems need to be aware of Kerberos delegation - the website to get the various tokens and the back-end to validate them against the same authority. I don't believe this will be possible directly but you may be able to set up a delegation-aware proxy between the UI and back-end.Hangbird
W
8

I'm not clear what you can and can't do with your use case but I can answer the question what Kerberos Delegation was meant for.

First let's talk about what Kerberos does prior to delegation. It is important to understand this part well because it is subtle.

Kerberos authenticates the identity of BOTH ends of a communication between two end-points across a network, those end-points can be interactive users or services running on a computer.

This is strong authentication so it will not allow a man-in-middle attack in any form. If set up correctly an end point can guarantee they won't be compromised. To the level of the service name (if you are connecting to IIs on a machine it is different than connecting to SQL Server on the same machine). It makes heavy use of modern encryption techniques and requires the use of secure certificates. The details of the authentication protocol are complicated and not worth going into now, but it involves about 20 different distinct steps of confirmation between the two authenticating end points and authentication server (in windows the Domain Controller is the authentication server).

So what the heck is delegation?

Delegation is a Microsoft extension to the Kerberos standard which allows a trusted source to continue the authentication to another end-point.

This allows you to act as a "man in the middle" -- however many settings have to be explicitly setup, certificates installed, etc to allow this to work. It is far from simple. (EDIT: Here is another SO answer on the details - https://mcmap.net/q/1166929/-what-39-s-the-difference-between-anonymous-authenticate-impersonate-and-delegate-and-why-does-delegate-need-kerberos)

So, for example, you could have someone authenticate to a website and then have the .NET code connect to an SQL Server AS THE SAME USER to read data with that user's rights.


Now to answer your question, since I'm not sure what you want to do I present three choices:

1) You want to connect to the back end system as the SAME user as the one authenticating at the website.

  • In this case Kerberos delegation is perfect -- it does exactly what you want.

2) You want to connect to the back end system as a DIFFERENT user than the one authenticating at the website (eg a service account).

  • In this case you don't want delegation. Kerberos to the website and Kerberos (as a different user) to the back-end will work great.

3) You want to connect to the back end system as the SAME user some of the time and as a DIFFERENT user other times. (For example, you need to validate this is a legal user for the back end system, but want to perform trusted actions as a system account other times. This is (in my experience) the most common use case.)

  • In this case you use both. Delegation for the connections which need to validate the user identity and then revert to the service account identity for the times when you need system access to the back end. (A previous question of mine went into the details of how to revert to the system identity on the .NET platform see How to "un-impersonate" (un-delegate?) in Kerberos.)
Winifredwinikka answered 30/9, 2013 at 21:0 Comment(1)
this should be the accepted answer, good overview that is relevant to many situations before specifically answering the OP.Inoperative
S
0

Here is a post describing how Kerberos works and how to set it up.

ASP.NET passing along Windows Authentication credentials

Salesmanship answered 22/10, 2009 at 12:8 Comment(2)
Well, yeah, that is MY post. :) And this is the next one. The questions are different. Your answer there made me doubt if I'm using Kerberos in the right way at all.Chose
opps Sorry too early. I thought it was odd that two questions like that would come so close together.Salesmanship
T
0

Actually Kerberos delegation is designed exactly for this use case. But the challenge here is craft this on a legacy system and with AD's settings that you do not want to change.

One possible hack is to have the Front End just send the user and the time of authentication but the backend can query the Active Directory Event Logs to determine whether that user has authenticated to the Front end. This requires you to use WIndows Event Log API.and also play around with Event Log settings in AD to log the issue of service tickets. (MY recollection is that this is the default) -

Taegu answered 6/8, 2012 at 5:32 Comment(1)
I'd say this is open to abuse and the busier the system is, the more likely a false-approval is to occur. It also assumes all clocks are perfectly in sync (hopefully true but not guaranteed)Hangbird

© 2022 - 2024 — McMap. All rights reserved.