Re: Kerberos Ticket User
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/27/05
- Next message: Ricky: "Failure Audit (eventid 577) and Remote Desktop"
- Previous message: Will: "Re: Kerberos Ticket User"
- In reply to: Will: "Re: Kerberos Ticket User"
- Next in thread: Joe Richards [MVP]: "Re: Kerberos Ticket User"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Apr 2005 12:16:34 -0500
Thanks for the extra info. Without knowing more about Proxy 2.0 I can't
think of a clear solution offhand. If you create an external trust between
the domains [versus a forest trust] then ntlm authentication will be used. I
don't know if that would work for you or not since your problem seems to be
with restrictions for the system account. There is a
Microsoft.public.sqlserver.security newsgroup where you may also want to
post to see if anyone there has worked with a similar scenario. --- Steve
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:CICdnQnQ7qhrXPLfRVn-pw@giganews.com...
>I have an SQL Server application on the other side of the Proxy
> Server, and I want to use domain credentials of people logging in
> from behind the proxy. This requires that SQL Server be able to
> authenticate the Kerberos ticket it would be handed by those
> users I was guessing that we had one of two choices:
>
> 1) Put domain behind and in front of proxy into a common forest,
> and then use a common domain above those two to validate users'
> kerberos tickets.
>
> 2) Have the two domains (currently in separate forests) implement
> a one way trust (the domain outside the proxy trusts the domain
> inside the proxy). But if we do this how does SQL Server on the
> outside of the proxy validate any Kerberos ticket it receives
> from users inside the proxy? The kerberos server outside the
> proxy has no way to directly contact the kerberos inside the
> proxy.
>
> In both cases, it's not clear how any service inside the proxy
> could ever exchange information with any service outside the
> proxy unless you could run the service inside the proxy with a
> user's credentials. Alternately you could expose the internal
> service through the proxy to the outside, using a special feature
> in proxy server, but that would be a horrible security violation
> to expose your most sensitive AD server behind a proxy to any
> connection from the outside.
>
> --
> Will
> Internet: westes at earthbroadcast.com
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ek9SkzvSFHA.580@TK2MSFTNGP15.phx.gbl...
>> The link below and a paste from it explains more about the
> krbtgt.
>>
>> http://www.windowsitlibrary.com/Content/617/06/4.html
>>
>> The AS and TGS services share a secret that is derived from the
> password of
>> the krbtgt principal. The krbtgt principal is the security
> principal used by
>> the KDC; its master key will be used to encrypt the TGTs that
> are issued by
>> the KDC. The krbtgt account is created automatically when a
> Windows 2000
>> domain is created. It cannot be deleted and renamed. As with
> any other
>> account, its password is changed regularly. In the Windows 2000
> users and
>> computers snap-in this account is always shown as disabled.
>>
>> I don't offhand know the answer to your Proxy 2.0 dilemma. What
> are you
>> trying to do that requires kerberos? --- Steve
>>
>> "Will" <DELETE_westes@earthbroadcast.com> wrote in message
>> news:eNgaMmvSFHA.3344@TK2MSFTNGP12.phx.gbl...
>> > If you are not familiar with Microsoft Proxy Server 2.0, it
> has a
>> > mode where only domain accounts can get through the proxy.
>> > SYSTEM accounts are always forbidden from getting through the
>> > proxy.
>> >
>> > I need kerberos tickets to pass out through the proxy. The
> only
>> > way I can think to make that happen is for the Kerberos
> ticket
>> > service to run as a domain account.
>> >
>> > Is there any way to run the Kerberos ticket server under the
>> > permissions of a specific domain user, or did Microsoft hack
> it
>> > in such a way that it must always run as SYSTEM?
>> >
>> > What is the purpose of the krbtgt account if it is always
>> > disabled?
>> >
>> > --
>> > Will
>> > Internet: westes at earthbroadcast.com
>> >
>> >
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:e8jGVXvSFHA.2128@TK2MSFTNGP14.phx.gbl...
>> >> The krbtgt account is disabled by default and the system
>> > manages the
>> >> password. You do not nor should not reconfigure that
> account. I
>> > am not sure
>> >> exactly what you need to do but if it has to do with
> trusting
>> > user accounts
>> >> for delegation see the links below. --- Steve
>> >>
>> >>
>> >
> http://searchwindowssecurity.techtarget.com/generic/0,295582,sid45_gci1050149,00.html#Delegation
>> >>
>> >
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod19.asp
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Ricky: "Failure Audit (eventid 577) and Remote Desktop"
- Previous message: Will: "Re: Kerberos Ticket User"
- In reply to: Will: "Re: Kerberos Ticket User"
- Next in thread: Joe Richards [MVP]: "Re: Kerberos Ticket User"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
