Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On

Size: px

Start display at page:

Download "Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On"

Lynn Marshall
5 years ago
Views:

2 Welcome

3 1 8 B I Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On John Kew Manager / Connectivity Tableau Speaker Name (if needed) Job Title Company / Org Name ined Delegation with Protocol Transition And oauth On

4 Everyone dreams of SSO via anything but Kerberos

6 Agenda Server settings SQL Server impersonation User filters and data source filters Run as user oauth connections Enable Kerberos delegation

7 User Filters and Data Source Filters

8 Run as User

9 Oauth (and SAML)

10 Why Kerberos?

11 Two-Factor Auth

12 Trust

13 Constrained Delegation

14 Introducing Bagel DB

15 Bageld Bagel Database of the Future /* Bageld - A system for the organization, storage, and retrieval of Bagel information */ John V. Kew Assignment 2 CPEx317 w/ Dr. Nico Winter, 2002 This program sets up a decision tree for the organization of bagel information. The program will use a database file in the local directory called "bagels.db" - If this file does not exist, it will create it so that bagel information can be added. Files: bageld.c bageld.h string.c string.h Compilation: Use cmake Usage:./bageld [bagel database] [optional: kerberos keytab] Without a database, the program will first ask you for a bagel type. Then begin filling the database with Caleb bagels, Monkey bagels, and Toast bagels. All answers are of "yes", "no", [Bagel Name], or a question about a bagel.

16 Bageld Bagel Database of the Future Bagels + Kerberos = Enterprise

17 Single Hop Kerberos with Bagel DB

18 Casting Call Narrator: John Kew Alice the Bagel Database: Jason Burns Microsoft Bob the Active Directory Server: <INSERT YOU> Eve the Bagel Database Client: <INSERT YOU>

19 Single Hop Kerberos: The Setup Narrator: A bagel shop. Alice the Bagel Database is happily responding to requests from customers about all the different types of bagels. But Alice doesn t just trust anyone Microsoft Bob ( to Alice): You have your service key right? Without it I can t vouch for anyone wanting to access your bagel database. Alice: Yeah; totally, my Domain Administrator set me up for Kerberos Authentication. I ll trust the people you trust. (Eve walks into the bagel shop)

20 Review: Who Knows What? Client (Eve) knows her password (Often in keytab) Database Service (Alice) knows her password (Often in keytab) Active Directory / KDC knows everything (Often in LDAP)

21 Authentication Service: Getting a Ticket Granting Ticket (TGT) Eve: Hey Bob; you know me right? Here s my username

We will use that as our shared decoder ring for future messages.

22 Authentication Service: Getting a Ticket Granting Ticket (TGT) Microsoft Bob: Yeah; the username is legit; here s a secret message containing a special decoder ring that only you can use. We will use that as our shared decoder ring for future messages. Keep that around, at least for 24 hours. That little key is as good as my word; but if you are who you say you are only you should be able to read this.

23 Authentication Service: Getting a Ticket Granting Ticket (TGT)

24 Authentication Service Login (Client Side) jaas.conf direct.singlehopbageldclient { com.sun.security.auth.module.krb5loginmodule required useticketcache=true }; Login.scala ////////////////////////////////////////////////////////////////////////////////// // Authenticate against the KDC using JAAS. def login(username: String, password: String) = { val loginctx: LoginContext = new LoginContext(configName, new LoginCallbackHandler(username, password)) loginctx.login() this.subject = loginctx.getsubject() }

25 Authentication Service Login (Client Side)

26 Requesting a Service Ticket: Getting a Service Ticket Eve: Thanks Bob; you know I was thinking of starting a transaction with Alice the Bagel Database; you think you could give me a service ticket which I can use to start a transaction? Here is that request encrypted with our cool little decoder ring.

27 Requesting a Service Ticket: Getting a Service Ticket Microsoft Bob: Sure thing; but this ticket is encrypted with Alice s secret decoder ring. She s the only one who can read it. Now leave me alone, it s patch Tuesday and I need some TLC.

28 Requesting a Service Ticket: Getting a Service Ticket

29 Requesting a Service Ticket (Client Side) KerberosClient.scala //////////////////////////////////////////////////////////////////////////////////////////////// // Configure our request for the service TGT println("initializing security context " + subject + " for service " + serviceprincipalname) val gssservername: GSSName = manager.createname(serviceprincipalname, KRB5_PRINCIPAL_NAME_OID) val context:gsscontext = manager.createcontext(gssservername, KRB5_NAME_OID, null, GSSContext.DEFAULT_LIFETIME) val token: Array[Byte] = new Array[Byte](0) // This is a one pass context initialisation. context.requestmutualauth(false) context.requestcreddeleg(true) context.requestanonymity(false) //////////////////////////////////////////////////////////////////////////////////////////////// // Initialize the security context; this is the part that actually // gets the service session setup from the TGS val ticket = context.initseccontext(token, 0, token.length)

30 Wireshark: Authenticating to the Database Eve (to Alice): Hello Bagel Database. Alice: I don t talk to anyone about bagels unless they have a kerberos ticket.

31 Wireshark: Authenticating to the Database Eve (to Alice): Here s my kerberos ticket that I got from our friend, Bob. I encoded it in Base64; because I know that s how you like it.

32 Wireshark: Authenticating to the Database Alice (inspecting and decoding the service ticket): Good news; you are not an intruder!

33 Wireshark: Authenticating to the Database

34 Accepting a Service Ticket (Database Side) bageld.c // Convert from base64 to bytes size_t ticketlength; unsigned char *ticket = base64_decode(input, inputlength, &ticketlength); printf("kerberos: B64Decoded %u [%s]\n", (unsigned int) ticketlength, ticket); gss_buffer_desc gbuf; gbuf.length = ticketlength; gbuf.value = ticket; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &gbuf,gss_c_no_channel_bindings,&name, NULL, &outbuf, &gflags, NULL, NULL); free(ticket); switch (maj_stat) { case GSS_S_COMPLETE: authorized = 1; gss_buffer_desc dsp_name; dsp_name.length = 0; dsp_name.value = NULL; gss_display_name( &min_stat, name, &dsp_name, GSS_C_NO_OID ); printf("kerberos: accepting GSS security context for: %s\n", (char *)(dsp_name.value)); break;

35 Review: Tickets and Keys Exchanged Session key: Used to securely exchange messages between a client and active directory Ticket granting ticket (TGT): Contains the session key to the client from active directory Service ticket (TGS): Contains the session key for communication between the client and a service (database). This can only be decrypted by the service

36 Constrained Delegation with Protocol Transition

37 Constrained Delegation with Protocol Transition Eve: So here s the problem Bob. I can talk to Alice no problem, but my friend Fred is allergic to garlic and cannot set foot inside that bagel shop. Is there a way for me to ask Alice some questions but make her think she is talking to Fred? Bob: Sure. This is called Kerberos Constrained Delegation. You probably also want protocol transition because Fred cannot just forward his credentials into the Bagel shop. You need to file a service ticket with my domain administrator to set this up.

38 Constrained Delegation with Protocol Transition Constrained Delegation: Trust this user for delegation to specified services only Protocol Transition: Use any authentication protocol"

39 Service for User to Self: S4U2Self Eve: Bob? Can I get a service ticket for myself for Fred? I need to be able to make requests for other services, as if I were Fred.

40 Service for User to Self: S4U2Self Bob: Ahh this is called an Service for User to Self (S4U2Self) call. Yup. Here you go.

41 Service for User to Proxy: S4U2Proxy Eve: Thanks. Ok. Now that I can make requests using this service ticket, can I have a service ticket for Alice on behalf of Fred?

42 Service for User to Proxy: S4U2Proxy Bob: Sure. This is an Service for User to Proxy (S4U2Proxy) call. Yup yup yup. Here you go

43 Connecting to the Database Normally Eve: Cool. Now I can talk to Alice normally, and Alice will think I m Fred.

44 Impersonation (Client Side) KerberosClient.scala // Impersonation val gssimpersonatename: GSSName = manager.createname(impersonatename, GSSName.NT_USER_NAME, KRB5_NAME_OID) val self:extendedgsscredential = manager.createcredential(null, GSSCredential.DEFAULT_LIFETIME, KRB5_NAME_OID, GSSCredential.INITIATE_ONLY).asInstanceOf[ExtendedGSSCredential] println("######### IMPERSONATING: " + gssimpersonatename) self.impersonate(gssimpersonatename).asinstanceof[extendedgsscredential]

45 Review: Constrained Delegation w/ Protocol Transition Constrained Delegation: Ability to delegate communication to a service to an intermediate entity (Eve, or Tableau Server) Protocol Transition: Ability to initiate impersonation of a user using a Service For User To Self (S4U2Self) call and an Service For User to Proxy (S4U2Proxy) call without the original user s password being used to retrieve a Ticket Granting Ticket Service Ticket (TGS): Contains the session key for communication between the Client and a Service (Database). This can only be decrypted by the Service

46 Data Source oauth

47 Tableau Data Source oauth Implementations Legacy oauth WDC oauth GALOP oauth Next* oauth

48 oauth Limitations Designed for Web Applications Requires an Accessible Callback Intermediary

49 Tableau Data Source oauth Implementations

50 18BI-113 Thank you! Contact or CTA info goes here

51 R E L AT E D S E S S I O N S Connecting to Datasources for Tableau Server on Linux Thursday, October 12 12:00pm 1:00pm South L3 Palm A Safeguard Your Data: Row Level Security Thursday, October 12 10:30am 11:30am South L2 Mandalay Bay G

52 Help us plan the future

53 Please complete the session survey from the Session Details screen in your TC18 app

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration