Kerberos, delegation and how to do this correctly?

后端 未结 3 1853
眼角桃花
眼角桃花 2021-01-02 05:46

I\'ve got two separate homemade applications that need to communicate among themselves. One is a frontend application (asp.net actually), the other is a backend interface to

相关标签:
3条回答
  • 2021-01-02 06:05

    Here is a post describing how Kerberos works and how to set it up.

    ASP.NET passing along Windows Authentication credentials

    0 讨论(0)
  • 2021-01-02 06:13

    Actually Kerberos delegation is designed exactly for this use case. But the challenge here is craft this on a legacy system and with AD's settings that you do not want to change.

    One possible hack is to have the Front End just send the user and the time of authentication but the backend can query the Active Directory Event Logs to determine whether that user has authenticated to the Front end. This requires you to use WIndows Event Log API.and also play around with Event Log settings in AD to log the issue of service tickets. (MY recollection is that this is the default) -

    0 讨论(0)
  • I'm not clear what you can and can't do with your use case but I can answer the question what Kerberos Delegation was meant for.

    First let's talk about what Kerberos does prior to delegation. It is important to understand this part well because it is subtle.

    Kerberos authenticates the identity of BOTH ends of a communication between two end-points across a network, those end-points can be interactive users or services running on a computer.

    This is strong authentication so it will not allow a man-in-middle attack in any form. If set up correctly an end point can guarantee they won't be compromised. To the level of the service name (if you are connecting to IIs on a machine it is different than connecting to SQL Server on the same machine). It makes heavy use of modern encryption techniques and requires the use of secure certificates. The details of the authentication protocol are complicated and not worth going into now, but it involves about 20 different distinct steps of confirmation between the two authenticating end points and authentication server (in windows the Domain Controller is the authentication server).

    So what the heck is delegation?

    Delegation is a Microsoft extension to the Kerberos standard which allows a trusted source to continue the authentication to another end-point.

    This allows you to act as a "man in the middle" -- however many settings have to be explicitly setup, certificates installed, etc to allow this to work. It is far from simple. (EDIT: Here is another SO answer on the details - https://stackoverflow.com/a/954154/215752)

    So, for example, you could have someone authenticate to a website and then have the .NET code connect to an SQL Server AS THE SAME USER to read data with that user's rights.


    Now to answer your question, since I'm not sure what you want to do I present three choices:

    1) You want to connect to the back end system as the SAME user as the one authenticating at the website.

    • In this case Kerberos delegation is perfect -- it does exactly what you want.

    2) You want to connect to the back end system as a DIFFERENT user than the one authenticating at the website (eg a service account).

    • In this case you don't want delegation. Kerberos to the website and Kerberos (as a different user) to the back-end will work great.

    3) You want to connect to the back end system as the SAME user some of the time and as a DIFFERENT user other times. (For example, you need to validate this is a legal user for the back end system, but want to perform trusted actions as a system account other times. This is (in my experience) the most common use case.)

    • In this case you use both. Delegation for the connections which need to validate the user identity and then revert to the service account identity for the times when you need system access to the back end. (A previous question of mine went into the details of how to revert to the system identity on the .NET platform see How to "un-impersonate" (un-delegate?) in Kerberos.)
    0 讨论(0)
提交回复
热议问题