Transcript Kerberos Delegation - Ondrej Sevecek`s Blog

GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
KERBEROS DELEGATION
Basic Delegation
Client
Password
Front-End
Server
TGT: User
TGS: Back-End
DC
Back-End
Server
Kerberos Delegation Options
Kerberos Delegation Options
 Unconstrained Delegation
 DFL 2000
 to any back-end service
 user “knows” about it
 Constrained Delegation
 DFL 2003
 to listed back-end SPNs
 user does not know about it
 Constrained Delegation with Protocol
Transition
Kerberos Delegation
(Simplified)
Client
TGS: Front-End
Front-End
Server
TGT: User
TGS: Back-End
TGS: Front-End
DC
DC
Back-End
Server
AD Delegation Requirements
 Front-end account must be able to read
tokenGroups and
tokenGroupGlobalandUniversal attributes
 Windows Authorization Access Group
 2003 schema update
 User account must have delegation enabled
 Account is sensitive and cannot be delegated
Protocol Transition
Requirements
 Protocol Transition requires Act as part of
operating system (SeTCBPrivilege)
 Protocol Transition requires front-end
resource domain = account domain
Kerberos with IIS 7+
 Providers
 Kernel Mode Authentication
 SharePoint does not support it
 useAppPoolCredentials
Protocol Transition
Client
Nothing
Front-End
Server
Kamil
TGS: Back-End
DC
Back-End
Server
GOPAS
TECHED 2012
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security |
[email protected] | www.sevecek.com |
THANK YOU!