Ing. Ondrej Sevecek Windows Server Product Manager GOPAS a.s.

Transcription

1 Kerberos Delegation aka double hop Ing. Ondrej Sevecek Windows Product Manager GOPAS a.s. MCM:Directory MVP:Enteprise Security Certified Ethical Hacker Certified Hacking Forensic Investigator CISA

2 SSO (single-sign-on) Minimize use of secure authentication information ISO/IEC Limits password/pin exposure Limits user's incentives to store passwords on local systems or write them down

3 Network authentication Client Secure Channel

4 Delegation (double-hop) Client Back-end

5 Network authentication risks Clear text password? Client Weak password hash?

6 Delegation (double-hop) Client Back-end

7 Access under service account svc- Client Kamil svc- Back-end

8 Access under the front-end client user account svc- Client Kamil Kamil Back-end

9 Basic delegation LSASS password Client password Kerberos Back-end

10 Basic delegation LSASS password Client password Kerberos Back-end normal TGT Kamil encrypted TGS:Kamil:BackEnd

11 Kerberos unconstrained delegation

12 Trust this user/computer for delegation to any service (Kerberos only) useraccountcontrol flag ADS_UF_TRUSTE D_FOR_DELEGATI ON = = 0x80000

13 Kerberos unconstrained delegation (DFL 2000+) LSASS F:TGT Client F:TGT Kerberos Back-end

14 Kerberos unconstrained delegation (DFL 2000+) LSASS F:TGT Client F:TGT TGS:Kamil:BackEnd Back-end F:TGT encrypted TGS:Kamil:BackEnd

15 Kerberos constrained delegation

16 Trust this user/computer for delegation to specified services only (use Kerberos only) msds- AllowedToDelegateTo attribute

17 Kerberos constrained delegation (DFL 2003+) LSASS TGS:Kamil: Client TGS:Kamil: Kerberos Back-end

18 Kerberos constrained delegation (DFL 2003+) LSASS TGS:Kamil: Client TGS:Kamil: TGS:Kamil:BackEnd Back-end encrypted TGS:Kamil:BackEnd

19 Constrained delegation requirements account must read tokengroupsglobalanduniversal attribute Windows Authorization Access Group (WAAG) Client user account must not have delegation prohibited useraccountcontrol attribute ADS_UF_NOT_DELEGATED = = 0x100000

20 Best practice hints for Kerberos constrained delegation Full restart of the always Static TCP port for SQL servers always member of WAAG Constrained delegation to SMB does work only for running under SYSTEM account or with IIS kernel mode authentication or with protocol transition regardless of account Delegation to SQL does not work with IIS kernel mode authentication With DFL 2003 explicitly disable AES for the Protect sensitive accounts against being delegated

21 Account is sensitive and cannot be delegated useraccountcontrol flag ADS_UF_NOT_DELEGATED = = 0x100000

22 The delegation tab is not visible unless there is at least one SPN of any kind

23 Kerberos constrained delegation with protocol transition

24 Trust this user/computer for delegation to specifies services only (use any authentication protocol) msds- AllowedToDelegateTo attribute + useraccountcontrol flag ADS_UF_TRUSTED_FO R_DELEGATION = = 0x80000

25 Kerberos protocol transition (DFL 2003+) LSASS nothing Client anything NTLM Kerberos Back-end retina questions

26 Kerberos protocol transition (DFL 2003+) LSASS nothing Client anything NTLM TGS:Kamil:BackEnd Back-end retina questions encrypted nothing TGS:Kamil:BackEnd

27 Protocol transition requirements must have user right Act as part of operating system (SetTcbPrivilege) must have the Impersonate client after authentication (SeImpersonatePrivilege) user right C2WTS additional requirements C2WTS must have the Create global objects (SeCreateGlobalPrivilege) user right C2WTS must be running under SYSTEM or member of local Administrators group then does not need the SeTcbPrivilege

28 Security implications of protocol transition (use any authentication protocol)

29 Learn at gopas GOC171 - Active Directory Troubleshooting GOC172 - Kerberos Troubleshooting ondrej@sevecek.com