Re: Kerberos with Windows Integrated authentication

YES!! It works!!

Thanks a lot, Dob.

Best regards!

"Dob Todorov" wrote:

Lobezno,

Received - thanks.

You are right - there are separate TGS_REQ/REPs and AS_REQ/REPs for all the
HTTP GET requests.

I tested a similar scenario in my home lab, and it seems that you get that
behaviour if your Web server is in the client broweser's Internet zone. If
you add the server to the local intranet zone (either explicitly, or by
referencing it by computer name rather than FQDN), the browser will request
one Kerberos ticket for an HTTP resource (HTTP/servername), which is visible
in KerbTray, and is also reused for subsequent requests.

Obviously, if you want to use Kerberos for authentication, you will either
be accessing servers that reside in your own realm (domain), or in trusted
realms (domains), and not just any server on the Internet. Servers from your
own and trusted realms will typically be on your Local intranet zone, so in
most situations you will experience the expected behaviour.

Nice observation though - thanks for bringing it to our attention.

HTH.

Regards,
Dob
Want to know more about identity and access management? Visit
http://www.iamechanics.com.

"lobezno" <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A0EF9EB3-32CC-4FBB-91BC-A4B329C3F057@xxxxxxxxxxxxxxxx
I did it!!
If you don't receive it, please, email me: lumalop[at]yahoo.es

Thanks !!!

"DTUser" wrote:

Lobezno,

You can send me a capture, sure. Please provide me with your e-mail
address
via the contact page on my Web site - http://www.iamechanics.com.

Thanks.

Regards,
Dob

"lobezno" <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E51053E3-F5F1-4912-A603-FD127C824A4A@xxxxxxxxxxxxxxxx
Hi Dob,
Thanks for your reply.

Questions 1,3 and clear. Sorry my stupit questions. I've learned a lot
in
last hours.
but about question 2, yes! I see this behavior using Wireshark. Each
time
I
press F5 in IE, I obtain the same cycle. It seems like there is no
cache.
Why??

Can I send you a capture??

Thanks again,
Best regards.

"DTUser" wrote:

Lobezno,

My comments below:

Question 1: Roughly speaking, the HTTP server (IIS in your case) uses
the
WWW-Authenticate header to send messages to the authenticating client,
while
the client uses the Authorization header to send authentication
messages
to
the server. Client initiated messages are certainly different from
server
replies: in the case of Kerberos for example, the client will include
an
SPNEGO (MS Negotiate) message and a Kerberos AP_REQ blob, while the
server
will reply with SPNEGO (MS Negotiate) message, containing AP_REP blob.
AP_REQ is different from AP_REP: AP_REQ is opaque to the client, and
authenticates the client to the server; AP_REP authenticates the
server
back
to the client by demonstrating that the server can decrypt the client
message, and encrypt a timestamp (to prevent replies).

Question 2: AS_REQ/AS_REP, as well as TGS_REQ/TGS_REP are not expected
messages at this stage: they will typically be cashed for a
predetermined
period of time (often 24 hours). Have you got a capture file that
supports
this observation?

Question 3: If the authentication protocol is Kerberos (and not
Basic),
the
client does NOT reuse the Authorization header as such; if the
Authorization
header could be reused by the client, then a potential attacker would
be
able to capture HTTP traffic between the client and the server, and
impersonate the user. The Authorization header contains an
Authenticator
blob, which among other fields contains the current time and a
sequence
number, encrypted in the session key (for the session between the
client
and
the server). The Authenticator blob is therefore unique every time the
Kerberos client sends a new AP_REQ message to the server. The AP_REP
is
unique as well: the server replies with the client time and
microseconds,
as
well as potentially with a new session key to be used to the client
request.

Have a look on http://www.iamechanics.com for more details on user
identification and authentication.

--
HTH.

Regards,
Dob

Want to know more about identity and access management? Visit
http://www.iamechanics.com.



"lobezno" <lobezno@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0D3FA87B-625C-4A3A-A252-709EF537C49A@xxxxxxxxxxxxxxxx
Hi,
I need help with Kerberos and Windows integrated security.

My system is:
All the servers and clients are in the same domain with the same OS:
windows
server 2003 Enterprise R2 SP2
Domain controller, IIS, Client.
Intenet Explorer 6 Sp2

I open IE 6 and request a page. The resource is protected (using
Windows
Integrated Authentication, with no anonymous allowed). Login screen
prompt
me. I put

a valid login and pwd, and I get the page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n

Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP

GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......

HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......
----------

Question 1: in the OK response, How IIS server generates the
WWW-Authenticate header? I thought that It should be the same value
that
client sends to server

in his Authorizaztion header.

Let's follow. I press F5 and reload the page. Obiously I don't need
to
put
my login/pwd again and I get the same page. This is the secuence:
----------
GET /home/home.aspx HTTP/1.1\r\n
HTTP/1.1 401 Unauthorized\r\n

Kerberos AS-REQ
Kerberos AS-REP
Kerberos TGS-REQ
Kerberos TGS-REP

Question 2: Why next request, has not a Authorization header and
reuse
the
token? Why it needs to get a new ticket from KDC??

GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......

HTTP/1.1 200 OK\r\n
[truncated] WWW-Authenticate: Negotiate oYGfMIGcoA......

Question 3: Last request/response, has the same headers values than
first.
It seems that client "reuse" the ticket. But, if this it's true, Why
it
needs
(AS

-REQ, AS-REP, TGS-REQ, TGS-REP) cycle again?? Why when I press F5,
the
client request is not directly:
GET /home/home.aspx HTTP/1.1\r\n
[truncated] Authorization: Negotiate YIIEnQYGKw......
----------

Any help will be gratefully.
Thanks a lot.

.

Relevant Pages

  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Resolving record with enumerated type
    ... In a CPU BFM package, ... because data goes in two directions (request from the ... from the server to the client), you'll need some way to orchestrate ...
    (comp.lang.vhdl)
  • Re: NadaNet file server coming soon...
    ... Applesoft BASIC running under ProDOS, in less than 300 lines, ... After each command is completed by the server, ... client the result code, the AUX TYPE, ... forgoes queueing (since one client can't have more than one request ...
    (comp.sys.apple2)
  • Re: Performance Issue with Runtime Image
    ... >> the client, closes the connection, then dies. ... request before even accepting the next incoming connection. ... The client program is unaffected so presumably the server is ...
    (comp.lang.smalltalk.dolphin)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)