Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On

Similar documents
ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Network Security: Kerberos. Tuomas Aura

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Radius, LDAP, Radius used in Authenticating Users

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Kerberos on the Web Thomas Hardjono

Kerberos V5. Raj Jain. Washington University in St. Louis

Trusted Intermediaries

AIT 682: Network and Systems Security

User Authentication. Modified By: Dr. Ramzi Saifan

CT30A8800 Secured communications

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

TUT Integrating Access Manager into a Microsoft Environment November 2014

Kerberos Adapter for webmethods

Chapter 9: Key Management

Active Directory Attacks and Detection

PSUMAC101: Intro to Auth

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CPSC 467b: Cryptography and Computer Security

Unit-VI. User Authentication Mechanisms.

Securing ArcGIS Services

Security Handshake Pitfalls

KERBEROS PARTY TRICKS

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Kerberos5 1. Kerberos V5

Network Security Essentials

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Single Sign-On Extensions Library THE BEST RUN. PUBLIC SAP Single Sign-On 3.0 SP02 Document Version:

Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market. BADCamp 2017

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Cryptographic Checksums

Deploy and Enjoy: Tableau Mobile at Enterprise Scale

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

All about SAML End-to-end Tableau and OKTA integration

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Kerberos MIT protocol

Your Auth is open! Oversharing with OpenAuth & SAML

Kerberos and Single Sign On with HTTP

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Securing ArcGIS Server Services An Introduction

The Kerberos Authentication Service

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol

Windows Authentication With Multiple Domains and Forests

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Warm Up to Identity Protocol Soup

Vintela Single Sign-On for Java Reference Manual

Outline Key Management CS 239 Computer Security February 9, 2004

CSCE 813 Internet Security Kerberos

User Authentication Principles and Methods

Unified Secure Access Beyond VPN

KEY DISTRIBUTION AND USER AUTHENTICATION

Cryptographic Protocols 1

Information Security CS 526

Network Security: Classic Protocol Flaws, Kerberos. Tuomas Aura

User Authentication. Modified By: Dr. Ramzi Saifan

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Authentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Spotfire Security. Peter McKinnis July 2017

CSC 774 Network Security

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS


How to Aggregate Friends and Influence Pivots

Validations vs. Filters

Software as a Service Multi-tenant Data Architecture. Frederick Chong Architect DPE Architecture Strategy Microsoft Corporation

SAML-Based SSO Solution

Security: Focus of Control. Authentication

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Kerberos Introduction. Jim Binkley-

Kerberos and Active Directory symmetric cryptography in practice COSC412

Client-Server mutual authentication

GSI Online Credential Retrieval Requirements. Jim Basney

1 Identification protocols

Security & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Data encryption & security. An overview

SAS Viya 3.3 Administration: Authentication

Single Sign-On Showdown

6. Security Handshake Pitfalls Contents

CS 425 / ECE 428 Distributed Systems Fall 2017

Cryptography Worksheet

Kerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

5. Authentication Contents

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

CS November 2018

How to Integrate an External Authentication Server

Course Administration

CSC/ECE 774 Advanced Network Security

Active Directory Attacks and Detection Part -III

Kerberos and NFS4 on Linux. isginf Workshop

Transcription:

Welcome

1 8 B I - 11 3 Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On John Kew Manager / Connectivity Tableau Speaker Name (if needed) Job Title Company / Org Name ined Delegation with Protocol Transition And oauth On

Everyone dreams of SSO via anything but Kerberos

Agenda Server settings SQL Server impersonation User filters and data source filters Run as user oauth connections Enable Kerberos delegation

User Filters and Data Source Filters

Run as User

Oauth (and SAML)

Why Kerberos?

Two-Factor Auth

Trust

Constrained Delegation

Introducing Bagel DB

Bageld Bagel Database of the Future /* Bageld - A system for the organization, storage, and retrieval of Bagel information */ John V. Kew Assignment 2 CPEx317 w/ Dr. Nico Winter, 2002 This program sets up a decision tree for the organization of bagel information. The program will use a database file in the local directory called "bagels.db" - If this file does not exist, it will create it so that bagel information can be added. Files: bageld.c bageld.h string.c string.h Compilation: Use cmake Usage:./bageld [bagel database] [optional: kerberos keytab] Without a database, the program will first ask you for a bagel type. Then begin filling the database with Caleb bagels, Monkey bagels, and Toast bagels. All answers are of "yes", "no", [Bagel Name], or a question about a bagel.

Bageld Bagel Database of the Future Bagels + Kerberos = Enterprise

Single Hop Kerberos with Bagel DB

Casting Call Narrator: John Kew Alice the Bagel Database: Jason Burns Microsoft Bob the Active Directory Server: <INSERT YOU> Eve the Bagel Database Client: <INSERT YOU>

Single Hop Kerberos: The Setup Narrator: A bagel shop. Alice the Bagel Database is happily responding to requests from customers about all the different types of bagels. But Alice doesn t just trust anyone Microsoft Bob ( to Alice): You have your service key right? Without it I can t vouch for anyone wanting to access your bagel database. Alice: Yeah; totally, my Domain Administrator set me up for Kerberos Authentication. I ll trust the people you trust. (Eve walks into the bagel shop)

Review: Who Knows What? Client (Eve) knows her password (Often in keytab) Database Service (Alice) knows her password (Often in keytab) Active Directory / KDC knows everything (Often in LDAP)

Authentication Service: Getting a Ticket Granting Ticket (TGT) Eve: Hey Bob; you know me right? Here s my username

Authentication Service: Getting a Ticket Granting Ticket (TGT) Microsoft Bob: Yeah; the username is legit; here s a secret message containing a special decoder ring that only you can use. We will use that as our shared decoder ring for future messages. Keep that around, at least for 24 hours. That little key is as good as my word; but if you are who you say you are only you should be able to read this.

Authentication Service: Getting a Ticket Granting Ticket (TGT)

Authentication Service Login (Client Side) jaas.conf direct.singlehopbageldclient { com.sun.security.auth.module.krb5loginmodule required useticketcache=true }; Login.scala ////////////////////////////////////////////////////////////////////////////////// // Authenticate against the KDC using JAAS. def login(username: String, password: String) = { val loginctx: LoginContext = new LoginContext(configName, new LoginCallbackHandler(username, password)) loginctx.login() this.subject = loginctx.getsubject() }

Authentication Service Login (Client Side)

Requesting a Service Ticket: Getting a Service Ticket Eve: Thanks Bob; you know I was thinking of starting a transaction with Alice the Bagel Database; you think you could give me a service ticket which I can use to start a transaction? Here is that request encrypted with our cool little decoder ring.

Requesting a Service Ticket: Getting a Service Ticket Microsoft Bob: Sure thing; but this ticket is encrypted with Alice s secret decoder ring. She s the only one who can read it. Now leave me alone, it s patch Tuesday and I need some TLC.

Requesting a Service Ticket: Getting a Service Ticket

Requesting a Service Ticket (Client Side) KerberosClient.scala //////////////////////////////////////////////////////////////////////////////////////////////// // Configure our request for the service TGT println("initializing security context " + subject + " for service " + serviceprincipalname) val gssservername: GSSName = manager.createname(serviceprincipalname, KRB5_PRINCIPAL_NAME_OID) val context:gsscontext = manager.createcontext(gssservername, KRB5_NAME_OID, null, GSSContext.DEFAULT_LIFETIME) val token: Array[Byte] = new Array[Byte](0) // This is a one pass context initialisation. context.requestmutualauth(false) context.requestcreddeleg(true) context.requestanonymity(false) //////////////////////////////////////////////////////////////////////////////////////////////// // Initialize the security context; this is the part that actually // gets the service session setup from the TGS val ticket = context.initseccontext(token, 0, token.length)

Wireshark: Authenticating to the Database Eve (to Alice): Hello Bagel Database. Alice: I don t talk to anyone about bagels unless they have a kerberos ticket.

Wireshark: Authenticating to the Database Eve (to Alice): Here s my kerberos ticket that I got from our friend, Bob. I encoded it in Base64; because I know that s how you like it.

Wireshark: Authenticating to the Database Alice (inspecting and decoding the service ticket): Good news; you are not an intruder!

Wireshark: Authenticating to the Database

Accepting a Service Ticket (Database Side) bageld.c // Convert from base64 to bytes size_t ticketlength; unsigned char *ticket = base64_decode(input, inputlength, &ticketlength); printf("kerberos: B64Decoded %u [%s]\n", (unsigned int) ticketlength, ticket); gss_buffer_desc gbuf; gbuf.length = ticketlength; gbuf.value = ticket; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &gbuf,gss_c_no_channel_bindings,&name, NULL, &outbuf, &gflags, NULL, NULL); free(ticket); switch (maj_stat) { case GSS_S_COMPLETE: authorized = 1; gss_buffer_desc dsp_name; dsp_name.length = 0; dsp_name.value = NULL; gss_display_name( &min_stat, name, &dsp_name, GSS_C_NO_OID ); printf("kerberos: accepting GSS security context for: %s\n", (char *)(dsp_name.value)); break;

Review: Tickets and Keys Exchanged Session key: Used to securely exchange messages between a client and active directory Ticket granting ticket (TGT): Contains the session key to the client from active directory Service ticket (TGS): Contains the session key for communication between the client and a service (database). This can only be decrypted by the service

Constrained Delegation with Protocol Transition

Constrained Delegation with Protocol Transition Eve: So here s the problem Bob. I can talk to Alice no problem, but my friend Fred is allergic to garlic and cannot set foot inside that bagel shop. Is there a way for me to ask Alice some questions but make her think she is talking to Fred? Bob: Sure. This is called Kerberos Constrained Delegation. You probably also want protocol transition because Fred cannot just forward his credentials into the Bagel shop. You need to file a service ticket with my domain administrator to set this up.

Constrained Delegation with Protocol Transition Constrained Delegation: Trust this user for delegation to specified services only Protocol Transition: Use any authentication protocol"

Service for User to Self: S4U2Self Eve: Bob? Can I get a service ticket for myself for Fred? I need to be able to make requests for other services, as if I were Fred.

Service for User to Self: S4U2Self Bob: Ahh this is called an Service for User to Self (S4U2Self) call. Yup. Here you go.

Service for User to Proxy: S4U2Proxy Eve: Thanks. Ok. Now that I can make requests using this service ticket, can I have a service ticket for Alice on behalf of Fred?

Service for User to Proxy: S4U2Proxy Bob: Sure. This is an Service for User to Proxy (S4U2Proxy) call. Yup yup yup. Here you go

Connecting to the Database Normally Eve: Cool. Now I can talk to Alice normally, and Alice will think I m Fred.

Impersonation (Client Side) KerberosClient.scala // Impersonation val gssimpersonatename: GSSName = manager.createname(impersonatename, GSSName.NT_USER_NAME, KRB5_NAME_OID) val self:extendedgsscredential = manager.createcredential(null, GSSCredential.DEFAULT_LIFETIME, KRB5_NAME_OID, GSSCredential.INITIATE_ONLY).asInstanceOf[ExtendedGSSCredential] println("######### IMPERSONATING: " + gssimpersonatename) self.impersonate(gssimpersonatename).asinstanceof[extendedgsscredential]

Review: Constrained Delegation w/ Protocol Transition Constrained Delegation: Ability to delegate communication to a service to an intermediate entity (Eve, or Tableau Server) Protocol Transition: Ability to initiate impersonation of a user using a Service For User To Self (S4U2Self) call and an Service For User to Proxy (S4U2Proxy) call without the original user s password being used to retrieve a Ticket Granting Ticket Service Ticket (TGS): Contains the session key for communication between the Client and a Service (Database). This can only be decrypted by the Service

Data Source oauth

Tableau Data Source oauth Implementations Legacy oauth WDC oauth GALOP oauth Next* oauth

oauth Limitations Designed for Web Applications Requires an Accessible Callback Intermediary

Tableau Data Source oauth Implementations

18BI-113 Thank you! Contact or CTA info goes here

R E L AT E D S E S S I O N S Connecting to Datasources for Tableau Server on Linux Thursday, October 12 12:00pm 1:00pm South L3 Palm A Safeguard Your Data: Row Level Security Thursday, October 12 10:30am 11:30am South L2 Mandalay Bay G

Help us plan the future https://www.surveymonkey.com/r/tableaudatasurvey

Please complete the session survey from the Session Details screen in your TC18 app

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback