How To Set Up Kcd On Gcd On A Gcd (Gcd) On A Pcode (Gdev) On Gdev (Gd) On An Ubuntu (Gdon) On Pcode On

Transcription

1 Kerberos? Kerberos /ˈkɛərbərəs/ is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

2 Configure Single Sign On Access to Resource Servers First, what is Kerberos? Kerberos is a network authentication protocol Microsoft has coupled Active Directory closely with Kerberos, and Windows 2000 and later use Kerberos as the default authentication method. A typical Kerberos transaction involves 3 components: A client (PC, smartphone, etc) A Key Distribution Center (KDC) trusted by the client and the service Authentication Server (AS) Ticket Granting Server (TGS) A network resource or service (IIS, Sharepoint, etc) There are 3 main exchange phases: Authentication Service (AS) Exchange Ticket Granting Service (TGS) Exchange Client Server (CS) Exchange Kerberos uses tickets that are encrypted / decrypted by secret keys They do not contain user s credentials.

3 Configure Single Sign On Access to Resource Servers What is Kerberos Constrained Delegation (KCD)? KCD allows an account to impersonate / delegate another account for the purpose of providing access to specific and approved (constrained) resources. User Experience Advantage: KCD allows users to access multiple resources (e.g. File sharing server, Web server, etc) without being prompted for domain credentials. Security Advantage: Domain Credentials are never stored or sent to/from the device, and only resources that are specifically allowed are available for access How does this work? Authentication User enters a username / pwd on the client Client performs a one-way hash on the entered pwd, this becomes the secret key Client sends msg to the Authentication Server (AS) requesting services on behalf of user. (Note: Neither secret key nor password is sent to AS) AS Exchange AS checks if client is in DB, then sends msgs back to client to obtain TGS session key. TGS Exchange Client sends msgs to Ticket Granting Server (TGS) to request services. TGS sends msgs back to client for Client-to-Server ticket to authenticate with Network / Resource server. CS Exchange Client sends msgs to Client Server (CS) to request services. CS sends msgs back to client to confirm identity & timestamp and accept connection.

4 KCD Authentication Single Realm 1. GD application requests a service from the app server 2. App server replies with an authentication challenge which is intercepted by the GD Library 3. The GD library sends a request for a service ticket to the Good Control GD Secured Application App Server 4. The Good Control authenticates the user/container using GD internal protocols and asks for a service ticket on behalf of the application for the application server 5. AD checks its local policy and if the user has permission to access the resource on the app server, it returns a service ticket to the Good Control 3 6 Good Control 6. The Good Control parses the Kerberos response and returns the service ticket for the app server along with other information to the GD Library The GD Library saves the information returned from the Good Control and uses the Kerberos ticket to complete the authentication to the application server AD 8. The application server returns the requested service

5 1. Map the GC Service Account to a Service Principal Name (SPN) On AD Domain Controller Start Programs Accessories. Right Click Command Prompt and select Run as Administrator.

6 1. Map the GC Service Account to a Service Principal Name (SPN) In the Administrator: Commant Prompt window, type setspn a GCSvc/<GC_host_fqdn> <DOMAIN>\<GC_service_account> NOTE: Replace the <GC_host_fqdn>, <DOMAIN>, and <GC_service_account> variables. For example: If you have multiple GC servers in your cluster, you must run the above command once for each GC server.

7 1. Map the GC Service Account to a Service Principal Name (SPN) Alternative Method Instead of using a command line procedure, open ADSIEdit.mmc on the Domain Controller. Locate the GD Service Account Right click, select Properties, and add GCSvc/<GC_host_fqdn> to the serviceprincipalname attribute. NOTE: Replace the <GC_host_fqdn> variable.

8 2. Create a Keytab file for the GD Service Account. On KCD Server Start Programs Accessories. Right Click Command Prompt and select Run as Administrator. In the Administrator: Commant Prompt window, type ktpass /out <filename>.keytab /mapuser <service_account>@<realm> /princ <service_account>@<realm> /pass <service_account_password> /ptype KRB5_NT_PRINCIPAL NOTE: Replace the <filename>, <service_account>, <REALM>, and <service_account_password> variables. For example:

9 2. Create a Keytab file for the GD Service Account. A. For each of the GC servers in your cluster, copy the generated keytab file to a known location. B. You will enter the location of this file into the GC console later in the process; associated tasks for this are listed in Step 6. C. If you install an additional GC server into your cluster after you have configured your existing GC servers for KCD, you must copy the keytab file to the known location on the host machine of the new GC server. D. It is important to note that if the password for the service account is changed in the future, you will need to regenerate the keytab file and replace it on all GC servers.

10 3. Configure constrained delegation for the GD Service Account. On AD Domain Controller Open Active Directory Users and Computers (ADUC) Locate GD Service Account Right click and select Properties Go to Delegation tab.

11 3. Configure constrained delegation for the GD Service Account. On AD Domain Controller Open Active Directory Users and Computers (ADUC) Locate GD Service Account Right click and select Properties Go to Delegation tab. A. Select Trust this user for delegation to specified services only. B. Select Use any authentication protocol, then click Add C. In the Add Services window, click the Users or Computers button. D. In the Select Users or Computers popup, enter the name of the computer that hosts the HTTP service from which GC will fetch service tickets for a delegated user, then click OK. E. Click OK in the Add Services popup, then click OK again in the Properties popup.

12 4. Enable enumeration of AD user objects group membership On AD Domain Controller Open Active Directory Users and Computers (ADUC) Expand domain Select Builtin. A. In your Active Directory Users and Computers mmc console, select Builtin from the list on the left, then right-click Windows Authorization Access Group and select Properties. B. Click the Members tab, and add the GC service account.

13 5. Enable the GD Service Account to act as part of the OS On AD Domain Controller Open Default Domain Security Settings console. A. On the Domain Controller, open the Default Domain Security Settings mmc console. B. Under Local Policies, select User Rights Assignments, then right-click Act as part of the operating system in the right panel and select Properties. C. In the Properties popup, click on Add User or Group, then enter the name of the GC service account and click OK.

14 5. Enable the GD Service Account to act as part of the OS Alternative Method On each GC Server Start Administrative Tools Local Security Policy. A. Under Local Policies, select User Rights Assignments, then right-click Act as part of the operating system in the right panel and select Properties. B. In the Properties popup, click on Add User or Group, then enter the name of the GC service account and click OK. Note: This method will not work if Server-level local security policy gets overridden by a domain-level security policy.

15 6. Configure KCD in GC Server Settings Global Settings On GC Web Console Server Configuration Settings Server Properties gc.krb5 Settings Note: Most KCD settings are global in scope and apply for all GC servers in the GC cluster. Modify from any GC Web Console in GC cluster. gc.krb5.enabled gc.krb5.debug gc.krb5.kdc gc.krb5.principal.name gc.krb5.realm Check this box for your GC servers to use KCD. Check this box if you want to enable additional logging. FQDN of the server on which the KDC service resides (eg. the AD domain controller). Service account name (without the domain or realm). The realm of the service account (usually the AD domain converted to uppercase).

16 6. Configure KCD in GC Server Settings Server-specific Settings On GC Web Console Server Configuration Settings Server Properties gc.krb5.keytab.file Note: gc.krb5.keytab.file is server-specific and must be configured independently on each GC Web Console. Note: If you install a new GC server into an existing GC cluster with servers configured to use KCD: 1. Copy the keytab file to a known location on the host machine of the new GC server 2. Log into the GC web console of the new GC server and configure the gc.krb5.keytab.file property. gc.krb5.keytab.file The location of the keytab file.