Login/Register
How does SPN with Kerberos works
Asked Answered
Solved kerberoswindows-authenticationspnegogssapisspi
B

3

8

As I understand it,

  • SPN is an authenticating tool for windows services.
  • Kerberos is a user authentication service
  • SPNEGO-GSSAPI is the third party API to be able to use those services.
  • SSPI : is the Neutral layer to send request from SPNEGO to SPN service.

Am I completely lost?

Trying to figure out how it works but information, is either too precise or not enough.

Bifurcate answered 5/12, 2013 at 19:38 Comment(0)
M
16

Ok a more verbose answer:-

  1. SPN - Service Principal Name. It is an identifier associated with each account in a KDC implementation(AD, OpenLDAP etc). Basically if your account acts as a service to which a client authenticates, the client has to specify "who" it wants to communicate to. This "who" identifier is the SPN. This is the strict definition. Many people often call the client name (UPN - User Principal Name) of a service as SPN. This happens when the service itself may act as a client( google the delegation scenario ). This is not strictly correct but widely assumed true.

  2. Kerberos is a protocol for authentication. It is a name for a framework. It involves a third party server(called KDC or Key Distribution Centre) and involves a series of steps of acquiring tickets(tokens of authentication). It is really complicated so http://en.wikipedia.org/wiki/Kerberos_(protocol)

  3. To some extent you got this right. GSSAPI is an API but SPNEGO is not. GSSAPI is technically agnostic to the auth mechanism you use, but most folks use it for kerberos authentication. SPNEGO is a pseudo mechanism, in the sense it declares an RFC for authentication based communication in HTTP domain. Strictly speaking SPNEGO is a specification but most folks also consider it as an implementation. For instance, Sun and IBM JDK provides "mechanism providers" for SPNEGO token generation but GSSAPI is used to actually call it. This is done in many projects(Tomcat as a Server is and example that come to the top of my head and one of the folks who answered this question developed it).

  4. SSPI is an analogue to GSSAPI in windows. Its a different API which ends up doing something very similar to GSSAPI.

Momentous answered 6/12, 2013 at 12:28 Comment(5)
So if I need to ask my vendor to register his application to be Windows integrated. I would need him to create a connection layer to the SPN using SPNEGO? Currently it's using only SASL for Kerberos authentication to SPN which is not okay with IT.Bifurcate
Ok so from what I understand your vendor needs to be authenicated against you(i mean your code is the server). SPNEGO will support either Kerberos or NTLM and you register your SPN in a KDC implementation(assuming its a Kerberos based authentication). I dont know how SPNs are registered if you are using NTLM auth. SASL is a wrapper over GSSAPI and it has nothing to do with SPNEGO. I would prefer if you post your code.Momentous
Oh and it also depends on what your vendor's application design is. If your vendors app uses HTTP based communication then yes, they should communicate to you via SPNEGO. A classic example is browser auth. Browsers have a hard format of SPN they connect to - HTTP/canonicaldnsnameofserver.realm.com. This cannot be changed and servers have to support this by defining their SPN as the above. However this is not correct always. For instance, I had modified the curl project to act a client in which target SPNs are arbitrary. github.com/Khalian/CURLMomentous
Neither does GSS-API has a notion of keytabs. This is solely a Kerberos feature.Maryrose
Yes, you are right, i fixed that part of the comment. Thanks. I generally use GSSAPI with MIT Kerberos in tandem and have yet to find a bridge API between SSPI and MIT Kerberos. So i got mixed up. My apologiesMomentous
H
4

Not quite.

SPN simply means 'Server Principal Name' and is the AD or Kerberos slang for the service you try to authenticate against.

Kerberos is a user authentication service, more or less yes. It also provides security for network messages and calls between services.

SPNEGO-GSSAPI* is a kind of strange beast. GSSAPI (Generic Security Service Application Program Interface) is an API to (in principle) different authentication services, it provides negotiation of the mechanisms used. Often the only mechanism available will be Kerberos though. It is the usual API to attach 3rd party programs to Kerberos when you are on Unix (defined in various RFCs, for example RFC 2743 )

On the windows platform SSPI is the generic layer, so it compares to GSSAPI.

SPNEGO is kind of a strange hybrid. It is a mechanism to be used in SSPI, HTTP Auth or GSSAPI which negotiates another auth protocol (for example Kerberos or NTLM if you are on Windows), so it basically does the same thing GSSAPI does again in a different way.

Typical uses of SPNEGO are HTTP authentication to a windows domain, for example IIS uses it if you use 'Integrated windows authentication'. It is also used when you select the 'Negotiate' options for SSPI. See for example RFC 4559

Heikeheil answered 5/12, 2013 at 20:7 Comment(0)
M
1

Almost all of your understandings are wrong.

Here it goes:

  1. SPN: A specific service-class is bound to a specific account, e.g. HTTP to www.stackoverflow.com => HTTP/[email protected]
  2. Yes 3./4. GSS-API (Unix)/SSPI (Windows): Mechanism neutral API to interact with. E.g, Kerberos 5, NTLM, SPNEGO, etc.
  3. SPNEGO: It is one of many mechnisms supported by GSS-API/SSPI. It is actually a pseudo-mech.
Maryrose answered 5/12, 2013 at 20:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.