Re: Kerberos with Windows Integrated authentication

Lobezno,

My comments below:

Question 1: Roughly speaking, the HTTP server (IIS in your case) uses the WWW-Authenticate header to send messages to the authenticating client, while the client uses the Authorization header to send authentication messages to the server. Client initiated messages are certainly different from server replies: in the case of Kerberos for example, the client will include an SPNEGO (MS Negotiate) message and a Kerberos AP_REQ blob, while the server will reply with SPNEGO (MS Negotiate) message, containing AP_REP blob. AP_REQ is different from AP_REP: AP_REQ is opaque to the client, and authenticates the client to the server; AP_REP authenticates the server back to the client by demonstrating that the server can decrypt the client message, and encrypt a timestamp (to prevent replies).

Question 2: AS_REQ/AS_REP, as well as TGS_REQ/TGS_REP are not expected messages at this stage: they will typically be cashed for a predetermined period of time (often 24 hours). Have you got a capture file that supports this observation?

Question 3: If the authentication protocol is Kerberos (and not Basic), the client does NOT reuse the Authorization header as such; if the Authorization header could be reused by the client, then a potential attacker would be able to capture HTTP traffic between the client and the server, and impersonate the user. The Authorization header contains an Authenticator blob, which among other fields contains the current time and a sequence number, encrypted in the session key (for the session between the client and the server). The Authenticator blob is therefore unique every time the Kerberos client sends a new AP_REQ message to the server. The AP_REP is unique as well: the server replies with the client time and microseconds, as well as potentially with a new session key to be used to the client request.

Have a look on http://www.iamechanics.com for more details on user identification and authentication.

--
HTH.

Regards,
Dob

Want to know more about identity and access management? Visit http://www.iamechanics.com.



"lobezno" <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0D3FA87B-625C-4A3A-A252-709EF537C49A@xxxxxxxxxxxxxxxx
Hi,
I need help with Kerberos and Windows integrated security.

My system is:
All the servers and clients are in the same domain with the same OS: windows
server 2003 Enterprise R2 SP2
Domain controller, IIS, Client.
Intenet Explorer 6 Sp2

I open IE 6 and request a page. The resource is protected (using Windows
Integrated Authentication, with no anonymous allowed). Login screen prompt
me. I put

a valid login and pwd, and I get the page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n

Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP

GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......

HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
----------

Question 1: in the OK response, How IIS server generates the
WWW-Authenticate header? I thought that It should be the same value that
client sends to server

in his Authorizaztion header.

Let's follow. I press F5 and reload the page. Obiously I don't need to put
my login/pwd again and I get the same page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n

Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP

Question 2: Why next request, has not a Authorization header and reuse the
token? Why it needs to get a new ticket from KDC??

GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......

HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......

Question 3: Last request/response, has the same headers values than first.
It seems that client "reuse" the ticket. But, if this it's true, Why it needs
(AS

-REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5, the
client request is not directly:
GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......
----------

Any help will be gratefully.
Thanks a lot.

.

Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    (Full-Disclosure)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)