Configuration of Kerberos Constrained Delegation On NetScaler Revision History Revision Date Author Contributors Comments 1.0 Dec. 2011 Raymond Initial draft 1.1 May. 2012 Raymond Added configuration section 1.2 06/10/2012 Naresh Added Trouble-shooting section and more details and pictures to configuration section. 1.3 06/11/2012 Raymond Minor changes and reorg. 1.4 10/26/2012 Naresh Pratap Adding KCDAccount in configuration. 1.5 10/29/2012 Naresh Pratap Adding review comments from Pratap 1.6 30/10/2012 Sudish Adding SQL windows Auth 1.7 02/06/2013 Pratap Adding Windows configuration for sql server 1
TABLE OF CONTENT Introduction... 3 Protocol Transition (S4U2Self)... 3 Constrained Delegation (S4U2Proxy)... 3 Goal... 4 3. SQL Windows Authentication... 4 3.1 SQL KCD Workflow... 5 4. Configuration... 6 4.1 Active Directory Configuration... 6 4.1.1 Create a Kerberos Constrained Delegation (KCD) User Account... 6 4.2 SetUp Configuration:... 14 4.2.1 SQL server configuration... 14 4.3 NetScaler Configuration:... 15 4.3.1 Add Service... 15 4.3.2 DB Profile and KCD Account... 15 4.3.3 LB VSERVER... 17 4.3.4 DNS Server:... 18 4.3.5 Joining NetScaler to the Windows Domain... 18 5. Troubleshooting... 20 5.1 Ensure lwagent process and all likewise daemons are running, Likewise daemons are lwsmd,lwregd,netlogond,lwiod and lsassd... 20 5.2 How to know that KCD is working... 21 5.3 Kinit string: Check NS is requesting a forward able ticket: S4U2SELF... 24 5.4 Kinit string: If Kinit request failed, if you run into some of the errors listed below, try the fix provided.... 24 5.5 t_s4u request: If you run into some of the errors listed below, try the fix provided... 24 5.6.1 SetUp Verification... 26 5.6.2 SQL Verification... 27 6. SQL Unit Test Case... 28 7. Reference... 29 8. Authors... 29 2
Introduction Kerberos has been considered as the most secure and widely used, but most complex authentication system. However, when a remote client is unable to obtain a ticket, or when the ADC is unable to obtain a ticket for services on behalf of the client, unfortunately, it has created challenges in implementing secure architectures by an Application Delivery Controller (ADC). Kerberos version 5 resolved the problem through two new extensions implemented in Windows Server 2003 to the authentication protocol: Protocol transition and constrained delegation. Protocol Transition (S4U2Self) The protocol transition extension allows a service to obtain a Kerberos service ticket to the Service on behalf of a user or proxy without requiring the user or proxy to be part of the Kerberos domain, or restricted to using Internet Explorer. No user credential is required for the transition. Applications may transition into Kerberos even though the actual authentication is done via another authentication method, such as HTTP Basic, form-based, NTLM, Radius, LDAP, SAML, RSA SecureID, PKI/Certificates and other OTP systems. Constrained Delegation (S4U2Proxy) The constrained delegation extension allows a service to obtain service tickets under the delegated users identity to a subset of other services after it has been presented with a service ticket that is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition extension. The reason why the constrained delegation extension is introduced in Windows Server 2003 was to address limitations in the Windows 2000 implementation of Kerberos delegation. In the Windows 2000 Kerberos delegation model, the Kerberos Key Distribution Center (KDC) does not limit the scope of services to which a Kerberos principal's identity can be delegated. In other words, after a service account is trusted for delegation, it can request service tickets on behalf of an authenticated user to any other service accounts. This delegation method does not provide precise mechanisms for an application to specify a subset of service accounts that it determines to be trustworthy for delegation. Essentially, applications are exposed to broader impersonation risks that may span across resource domains that have different levels of security policy requirements; some of the security policies may not be as strict as the applications security requirements. From the domain administrator s point of view, it is too risky to enable unconstrained Kerberos delegation in the enterprise because there is no way to exclude untrusted servers from participating in delegation. With constrained delegation, domain administrators can configure service accounts so that they delegate only to specific sets of service accounts. 3
For more information about RFC 1510, see the IETF Web site (http://www.ietf.org). For more information about Kerberos and the two extensions, see, http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx and http://technet.microsoft.com/en-us/library/cc739587.aspx Goal To support Kerberos Protocol Transition and Constrained Delegation (Kerberos SSO) on ncore. Integrated with all existing supported authentication methods. 3. SQL Windows Authentication SQL Windows Authentication: SQL Windows authentication requires both client and server to be part of a windows domain. For login, client will get the Kerberos ticket for SQL server from AD and send the same to SQL Server for authentication (instead of username and password). The SQL Server verifies the ticket and sends authentication response (Done, Error). SQL server may send one additional token(0xed) before sending Done Packet. Windows authentication support on NetScaler enables MSSQL lb/cs vserver to authenticate the client and authenticate itself on behalf of client to the backend server, and pass on the requests/response coming from client/server to server/client respectively. When client sends login request to lb vserver, it talks to authentication daemon to verify the ticket, which on verification sends the response which is sent to client with 0xed token and then Done packet (it indicates successful login) is sent to the client. If the authentication daemon rejects the ticket then Error packet is sent to client with message Windows Authentication failed. and client connection is closed. While establishing the server side connection, once TCP connection is established, a request is sent to authentication daemon to get the ticket for backend server on behalf of user authenticated on client side connection; the authentication daemon responds with a ticket which is encapsulated in the login packet and the login packet is sent to backend server. Backend server responds with Done Packet and then client query (if any) is forwarded to backend server. The diagram in next section describes different phases in the client as well as server side authentication. 4
3.1 SQL KCD Workflow 7. Validate SPNEGO GSSAPI token Authentication 1. TGT_REQ 2. TGT_RES 3. TGS_REQ 4. TGS_RES KDC (AD) 6. Send client credentials 10. AS_REQ/RES 11. S4U2Self 12. S4U2Proxy Likewise lsassd Daemon TM Vserver (vs1) NetScaler SQL Client (User) 5. SQL Login Reuest 8. Token 0xed + Done Packet 9. SQL Query SQL Server 13. SQL Login Request Kerberos KCD 17. SQL response 14. Token (0xed) + Done Packet 15. SQL Query 16. SQL response User Traffic 18. SQL Query 21. SQL response 19. SQL Query 20. SQL response 5
4. Configuration This section outlines how to set up Kerberos Constrained Delegation with NetScaler. This involves setting up an account in the Active Directory, setting up the Server hosting the services and finally configuring the NetScaler. The only new CLI command introduced on NetScaler is to add a kcdaccount for a dbprofile, which will be described in detail in Section 4.3. 4.1 Active Directory Configuration This part explains the configuration steps needed on the Active Directory to enable Constrained Delegation with NetScaler Secure Access. 4.1.1 Create a Kerberos Constrained Delegation (KCD) User Account In order to get Constrained Delegation to work a User account has to be created. This account must have the rights to do the Protocol Transition and Delegation. Essentially this is the account that has the rights to request a Kerberos Ticket on behalf of a user logging into the NetScaler. Start by creating a new user in the Active Directory or use an existing user account. In this example, user kcdtest is created as the account to provide Constrained Delegation to a service. 6
4.1.2 Enable the Delegation tab for the created user Delegation is not enabled by default for a User account and need to be enabled. This involves the use of the SETSPN command-line tool that isn t included in any standard Windows 2003 installation. Check in Active directory User properties if delegation tab is available, if not download windows package. Install the Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?linkid=100114). 7
For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?linkid=62270). If this is installed in your Windows 2003 server it can be found in C:\Program Files\Support Tools Use the command: setspn -A MSSQLSvc/kcdvserver.sql2012.com sql2012\kcdtest NOTE: In this example SQL2012 is the Domain and kcdtest is the user account we just created. In this we are registering kcdtest user with SPN: MSSQLSvc\kcdvserver.sql2012.com This will enable the Delegation tab in the kcdtest properties. 8
If the Delegation Tab does not appear the Active Directory probably is running in mixed or native mode and need to be raised to Windows 2003 functional level. NOTE that the following steps will change your Active Directory behavior and Support for older Windows clients. If you are uncertain you should not raise the Domain Functional Level without checking if this has any impact to your Environment since this step cannot be reversed. Once the Active Directory is at Windows 2003 functional level you can continue Configuration The Delegation tab will now be visible. Make sure to enable the Trust this user for delegation to specified services only and Use any Authentication protocol. Even though other selections might seem more accurate the Kerberos only options will not work since they do not enable Protocol Transition and Constrained Delegation. 9
Creating Keytab file for user kcdtest with SPN: host/kcdvserver.sql2012.com@sql2012.com ktpass /princ host/kcdvserver.sql2012.com@sql2012.com /ptype KRB5_NT_PRINCIPAL /mapuser sql2012\kcdtest /pass freebsd -out C:\kcdvserver.keytab Note: host/kcdvserver.sql2012.com@sql2012.com is case sensitive. After ktpass is issued, user kcdtest will be registered with SPN: host/kcdvserver.sql2012.com@sql2012.com Check the kcdtest user Account properties, it looks as follows: 10
Once Ktpass command is successful, copy that keytab file to NetScaler /nsconfig/krb directory. Note: Set password never expire option for kcdtest, if password is expired then we need to regenerate ktpass and copy back to NetScaler. 11
4.1.3 Add the Services. Since this is constrained delegation there is a need to specify the Services it applies to, Select Add in kcdtest user Delegation property. Use the Users or Computers button to select the Computer hosting these services. In this example we are doing Constraint Delegation to a service account running sql server on: Node1, this could have been any other Server in the Domain though. Note that Constrained Delegation does not support Services hosted in other Domains even Though there is a trust relationship to those Domains. Now add the Services on the selected Server. 12
Since this example is about setting up Constrained Delegation to SQL Server the MSSQLSvc service is selected. Now review the settings and Apply / OK these settings. You are now finished setting up the Active Directory part of the configuration. 13
4.2 SetUp Configuration: Sharing Secret Key between NS and AD : ktpass utility is used to generate the keytab and share the keytab between NS and AD. ktpass configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos "keytab" file containing the shared secret key of the service. Ktpass for lb vserver as server(required for client side kerberos auth): Command for keytab generation. ktpass /out sqlkeytab /princ host/lbsql.krb.com@krb.com / pass password /mapuser KRB\user /ptype KRB5_NT_PRINCIPAL a) MSSQLSvc - indicate mssql service type b) lbsql.krb.com - lb vserver name in spn format c) password password for mapped user d) user trusted AD user. e) KRB5_NT_PRINCIPAL - principal type general The keytab can be generated dynamically on NetScaler using ktutil(with addent command) utility instead of generating on AD machine and then moving to NetScaler. Ktpass for lb vserver as host(required for kcd): Command for keytab generation. ktpass /out sqlkeytab /princ host/lbsql.krb.com@krb.com / pass password /mapuser KRB\user /ptype KRB5_NT_PRINCIPAL Enable constrained delegation for the user as mentioned in 4.1 and select the SQL service for delegation. 4.2.1 SQL server configuration Add a login with authentication as windows. There is no need to add a db user on NetScaler 14
4.3 NetScaler Configuration: (change ip, domain name, domain username and domain userpassword as per your setup.) 4.3.1 Add Service add service sqlauth node1 MSSQL <port> add server node1 node1.sql2012.com bind lb vserver sqllb sqlauth 4.3.2 DB Profile and KCD Account 4.3.2.1 Create KcdAccount Kcdaccount is used to extract SPN from keytab file, NetScaler reads keytab file and extracts SPN listed from keytab file. 15
CLI: add kcdaccount kcdaccount1 keytab kcdvserver.keytab Or add kcdaccount kcdaccount1 keytab /nsconfig/krb/kcdvserver.keytab Note: Kcdvserver.keytab file has to be copied under /nsconfig/krb/, if the file is not found in /nsconfig/krb NS will reject it. sh kcdaccount kcdaccount2 1) KCD Account : kcdaccount2 Keytab : /nsconfig/krb/kcdvserver.keytab Vserver Principle : host/kcdvserver.sql2012.com@sql2012.com Done Set/unset/rm commands are allowed on Kcdaccount. 16
4.3.2.2 Create DBProfile DB Profile can be used with LB and CS vservers add dbprofile profile_name kcdaccount myacc 4.3.3 LB VSERVER add lb vserver <lb vserver name> MSSQL <ip address> <port> dbprofile profile_name bind lb vserver <lb vserver name> sqlauth 17
4.3.4 DNS Server: add dns nameserver <ip address> Important: Following parameters need to be taken care while adding configuration. Server Name: While adding a server(add server), the name of the server should match with its dns name. 4.3.5 Joining NetScaler to the Windows Domain For Constraint Delegation to work NetScaler should be part of the Windows domain. To join NetScaler to the domain, Use Kerberos Domain Join option from AAA-Application Traffic and create a Negotiate Action as shown in the below screen shot. User account used to join the domain should have Domain Admin Privileges. Checklist before joining Domain 1. Add Name server in NetScaler and point to Domain DNS server 2. Check NetScaler can resolve to Domain by Ping/Dig commands 3. Check that NetScaler and DC are in Timesync, if not add NTP server in both. Note: If the Domain Forest has multiple Domain Controllers than add a static DNS entry pointing to the Domain. CLI: 18
add authentication negotiateaction neg1 -domain SQL2012.COM -domainuser <DomainAdmin> - domainuserpasswd d83d154575d426 -encrypted -OU TEST bind aaa global -windowsprofile neg1 In a working scenario, you can see aaad.debug logs reporting: lwagent.c[2006]: lw_authenticate_user LWAGENT: Trying to authenticat user kcduser1@sql2012.com... lwagent.c[2018]: lw_authenticate_user LWAGENT: Successfully authenticated user kcduser1@sql2012.com If there is any error associated with running the above commands, check Troubleshooting section 5.1. 19
5. Troubleshooting 5.1 Ensure lwagent process and all likewise daemons are running, Likewise daemons are lwsmd, lwregd, netlogond, lwiod and lsassd At NetScaler shell prompt, type ps ax grep likewise. If you don t see all likewise daemons running then Do the following, # rm rf /var/lib/likewise/db # /opt/likewise/bin/nslw.sh stop # /opt/likewise/bin/nslw.sh start You will see the following, # rm -rf /var/lib/likewise/db # /opt/likewise/bin/nslw.sh stop nslw: Likewise Open 6.1: nslw: process 493 killed nslw: lwagent stopped Stopping service: lwreg # /opt/likewise/bin/nslw.sh start nslw: Likewise Open 6.1:././local/./local/lib/./local/lib/pam_lsass.so./local/lib/pam_lsass.la./local/lib/nss_lsass.so.1./local/lib/nss_lsass.la././lib/./lib/likewise/./lib/likewise/lwconfig.xml nslw: Found Likewise Open version 6.1 nslw: lwagent started root@chrisns# nslw: Likewise Open 6.1: Refreshing service manager Starting service dependency: netlogon Starting service dependency: lwio Starting service dependency: rdr Starting service: lsass nslw: lsassd started Verify if all processes are started, type ps ax grep likewise, 20
# ps ax grep likewise 675?? S 0:00.03 /opt/likewise/sbin/lwsmd --start-as-daemon 676?? S 0:00.38 /opt/likewise/sbin/lwregd --syslog 685?? S 0:00.01 /opt/likewise/sbin/netlogond --syslog 686?? S 0:00.02 /opt/likewise/sbin/lwiod --syslog 687?? S 0:00.09 /opt/likewise/sbin/lsassd --syslog 660 p0 S 0:00.01 /opt/likewise/bin/lwagent 5.2 How to know that KCD is working When we access lbvserver (enabled with KCD) we can look at the aaad.debug logs, in success case it will look like lwagent.c[1198]: lw_start_get_s4u Call /opt/likewise/bin/kinit -k -t /etc/krb5.keytab -f 'host/kcdvserver.sql2012.com@sql2012.com' Sun Jun 10 20:34:20 2012 lwagent.c[993]: get_s4u Get S4U2Proxy for: User: abc@sql2012.com; Target: mssqlsvc/sph07.sql2012.com:1433; Keytab: /etc/krb5.keytab; spnego:0 Sun Jun 10 20:34:20 2012 lwagent.c[1015]: get_s4u Protocol transition tests follow Sun Jun 10 20:34:20 2012 lwagent.c[1016]: get_s4u ----------------------------------- Sun Jun 10 20:34:20 2012 lwagent.c[1044]: get_s4u Trace at Active directory.. Pkt.514 shows Ticket request from Ns to AD and asking for a Ticket. Pkt.515 shows Ticket is granted. Pkt.520 S4U2SELF Request for host SPN: kcdvserver.sql2012.com Pkt.530 Constraint Delegation request for backend service mssqlsvc\sph07.sql2012.com NSIP: 10.217.28.2 AD: 10.217.28.93 21
22
23
5.3 Kinit string: Check NS is requesting a forward able ticket: S4U2SELF Run Following cmd in NS shell # /opt/likewise/bin/kinit -k -t /var/kcdvserver.keytab -f 'host/kcdvserver.sql2012.com@sql2012.com' NS should be sending an AS-REQ to AD with Client Principal Name as 'host/kcdvserver.sql2012.com@sql2012.com' Here /etc/krb5.keytab file points to the one created 5.4 Kinit string: If Kinit request failed, if you run into some of the errors listed below, try the fix provided. a. /opt/likewise/bin/kinit -k -t /var/kcdvserver.keytab -f 'host/kcdvserver.sql2012.com@sql2012.com gss_init_sec_context: Unspecified GSS failure. Minor code may provide more information gss_init_sec_context: Matching credential not found Fix: Create a new keytab and specify in kcdaccount, Delete if any duplicate SPN in AD. To search for duplicate SPN try setspn X on active directory (this command works for windows 2008 only) 5.5 t_s4u request: If you run into some of the errors listed below, try the fix provided a. /opt/likewise/bin/t_s4u nareshj@sql2012.com mssqlsvc/sph07.sql2012.com:1433 /var/kcdvserver.keytab Warning: no delegated credentials handle returned Verify: - The TGT for the impersonating service is forwardable - The T2A4D flag set on the impersonating service's UAC - The user is not marked sensitive and cannot be delegated Fix: Check whether "use Any Authentication Protocol" enabled or not, if not enable it. 24
b. "Server not found in Kerberos database" when we run /opt/likewise/bin/t_s4u user1@sql2012.com mssqlsvc/sph07.sql2012.com:1433 /var/kcdvserver.keytab Fix: Check /etc/krb5.conf, if it is pointing to wrong domain, take a backup of the file and change it to correct domain and save it. c. opt/likewise/bin/t_s4u administrator@sql2012.com mssqlsvc/sharepoint.sql2012.com /var/kcdvserver.keytab Protocol transition tests follow ----------------------------------- gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information gss_acquire_cred_impersonate_name: Client not found in Kerberos database Fix: Check if Do not require kerberos preauthentication" enabled or disabled, it should be disabled. 25
5.6.1 SetUp Verification The KCD requires steps which involve keytab generation (ktpass), addition of service principle name (setspn) and enabling KCD for user. Any wrong configuration (name wrongly typed, some option missed) can cause KCD to fail. If KCD fails to work then it can be checked if there is any issue with setup using the following two shell commands on NetScaler (change the lb vserver name, service name and service port as per requirement): /opt/likewise/bin/kinit -k -t /etc/krb5.keytab -f 'host/lbvs.sql2012.com@sql2012.com' a) Should return without giving any messages. /opt/likewise/bin/t_s4u sudish@sql2012.com MSSQLSvc/node1.sql2012.com:1433 /etc/krb5.keytab b) Should be able to get KCD ticket for backend server. If both the above commands run fine then KCD should work otherwise configuration changes may be required at NetScaler or AD. 26
5.6.2 SQL Verification Login Packet: Packet 3230 shows the login packet from sql client. The most significant bit of option flag2 indicates (ON for yes, OFF for no) whether windows authentication will be used or not. If this bit is ON then kerberos ticket will be there in this packet (as shown below). Login Response Token (0xed): This token is sent by SQL Server in response to the windows auth login. This is not a mandatory packet, server can send directly Done Packet which indicate successful login. Packet 3238 shows 0xed token from SQL Server, this token also contain the authentication response for kerberos ticket. 27
6. SQL Unit Test Case Test-1: Test-2: Test-3: Test-4: Follow the configuration mentioned in section 7.2 for setup. Use sql client with Windows Authentication option to perform login. On successful login, query prompt will come. If login fails Windows Authentication Failed message will come. Try SQL authentication for checking backward compatibility. Try removing keytab file for KCD and see the behavior. NetScaler should reset the connection. Try removing keytab file for lbvserver, in this case Windows Authentication Failed message should come. 28
7. Reference http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx http://technet.microsoft.com/en-us/library/cc739587.aspx 8. Authors Raymond Li, Raymond.Li@citrix.com Naresh Jampani, Naresh.Jampani@citrix.com Sudish Kumar Sah, sudishkumar.sah@citrix.com 29