问题
I have an old application that we setup with delegation based kerberos. Everything with the application worked fine till we tried it out on one of our new Windows 10 machines.
After awhile, we finally figured out that Credential guard is not playing nice with this old application.
According to https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations
Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
We have to switch our implementation to use Constrained based Kerberos. I'm at a bit of a loss on how to do that.
Our current SPN are set against the web application name - (Scenario 2 from this link - https://support.microsoft.com/en-ca/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on)
setspn -a http/WebSiteName webServerName
setspn -a http/WebSiteName.domain.com webServerName
The application only talks to Active Directory. No database is involved. The site is currently running the application pool with a domain account.
When I try commands like
$comp = Get-ADComputer DcOrAnotherComputer
Set-AdComputer -identity webServerName -PrincipalsAllowedToDelegateToAccount $comp
I get the following powershell error.
Set-AdComputer : The attribute cannot be modified because it is owned by the system
At line:2 char:1
+ Set-AdComputer -identity hql-dmeds01 -PrincipalsAllowedToDelegateToAccount $comp
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (hql-dmeds01:ADComputer) [Set-ADComputer], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8369,Microsoft.ActiveDirectory.Management.Commands.SetADComputer
I've boiled down the application to an example that works on Win7/win2012 but not on win10 with credential guard.
<%@ Language=VBScript %>
<%
' Create the connection the AD
set con = createobject("ADODB.connection")
set Com = createobject("ADODB.command")
con.Provider = "ADsDSOObject"
con.Open "Active Directory Provider"
Set Com.ActiveConnection = con
dim ldapCall
ldapCall = "SELECT ADsPath, distinguishedname, displayName" &_
" FROM '" & "LDAP://DC=mydomain,DC=com' " &_
" WHERE objectClass = 'group' AND name = 'SomeTestGroupName'" & _
" ORDER BY displayName "
'response.write ldapCall
' Execute the search call
Com.CommandText = ldapCall
Set rs = Com.Execute
if not(rs.EOF) then
response.write "SomethingHappended<br />"
else
response.write "Why don't you work???"
end if
%>
Update 1 - Answer to T-Heron's question Here are the results of doing
setspn -q http/WebSiteName.domain.com -
Checking domain DC=Mydomain
no such SPN found.
if i do
setspan -q http/WebSiteName- I get the following
Checking domain DC=Mydomain
CN=Webserver,OU=OuLocation,DC=MyDomain
http/WebSite.myDomain
http/WebSite
CmRcService/Webserver
CmRcService/Webserver.myDomain
WSMAN/Webserver.myDomain
TERMSRV/Webserver.myDomain
RestrictedKrbHost/Webserver.myDomain
HOST/Webserver
WSMAN/WSMAN/Webserver
TERMSRV/WSMAN/Webserver
RestrictedKrbHost/WSMAN/Webserver
HOST/Webserver
update 2- the reason the -q in update 1 didn't work was that the spn was set to http/WebsiteName.domain.com and not http/WebsiteName.a.b.domain.com (which is what i was trying)
So all the -q commands work now. But the problem persists
Here's the screenshot of the delegation tab.
Update 3 -
Here's a new picture of the delegate tab I tried it both with "Use Kerberos Only" and "Use any authentication protocol" after doing an IISReset, i get the same issue. (i added the webserver when I pressed the "add" button. in the picture, the red boxes where entries with the webServername the orange boxes where entries with the spn setup (beside HTTP - service type)
回答1:
Ok, so I was able to get the test page above to finally work. T-Heron's comments were on point, I just added the wrong services to delegate.
Once I added the ldap service from the domain controller then the test page started working.
(Our domain controllers had 2 ldap services. One with a guid and one with the domain name. I chose the domain one).
[
]Update 1- the testing for the solution was initially done on win2k8. Doing the same on win2k12 didn't work.
I ended up having to change my application pool to the built-in ApplicationPoolId (or localsystem) to have it work.
来源:https://stackoverflow.com/questions/50535093/switching-application-to-use-constraint-based-kerberos